Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ya.exe

windows7-x64

10

ya.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/04/2024, 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ya.exe

  • Size

    63KB

  • MD5

    222c2d239f4c8a1d73c736c9cc712807

  • SHA1

    c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

  • SHA256

    ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

  • SHA512

    1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

  • SSDEEP

    1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score
10/10
xwormpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638
Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    uwumonster.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ya.exe
    "C:\Users\Admin\AppData\Local\Temp\ya.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1612
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1984
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C8D51DBA-46DE-4E45-8DAE-DBE7BBEE81AA} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Local\uwumonster.exe
      C:\Users\Admin\AppData\Local\uwumonster.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Users\Admin\AppData\Local\uwumonster.exe
      C:\Users\Admin\AppData\Local\uwumonster.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    00f7972fca970eb9a1e2a27c10355722

    SHA1

    328608b030987589566f642afe1810e02c1024e7

    SHA256

    e9630a572c5a46629142ebd26a4cf0e5df7687e11cbc4fa4a4b6cddd80c618c5

    SHA512

    0f05e11668fcd04d9b29b4bcbb3e099b0a29205a0a4c77b5255f5865c61911f708ba1073183de27f9776d6070a1f44b5e32c47903f3de8364babfc21e2fa7a65

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0e3c058e5bd780ba8130a1db43ec67cb

    SHA1

    a41699ac3efdf9efe5822a74bd6bb352ede03a9d

    SHA256

    df4d8b70c3c5457dd10d33ec522c90ad3ad95637bd0ea7b09e0516feddb66377

    SHA512

    0174c94174f81548f4e2b57a46fa5f7ae1c4fb4f16cdcba1e63ad3e7411b90cc451fbff7cadd61fbd743685ed4248e87ffd9cf994ca9baee79f1c5596daa8640

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    704eb5109f6fbc8a5c190c596af7e77a

    SHA1

    59e90658e8fb65b0d7c7c96e2bd67573286dc12e

    SHA256

    b1b2bc430e5b6b3c60052fda104821b7a254ba511b91188a968185adffccaffa

    SHA512

    970bae0aae9a57474c4e2430403e88c3f8454afa84eabd0f6046c520299bcc83a3a08395f88596499ef905591ca479d23f14f0a60a356939c7a352710966025f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2b2bc30b19a757538849475cf44067ef

    SHA1

    cae09299e5914a4ae41d5ba9d9d23aa1a89fe165

    SHA256

    f791585557fc0140ee38032ec8637bdaa880443ed3c34fe316f10beaf90d5f43

    SHA512

    eaeb52c124e12a58bcb9f761fcfc8d9a694af4da152fc08e11b8f0a717f8b1401cb6ed3492d2aade00ea25263e97fc17357f68d375cb8b9de1a45b028494a4a6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    acb688e9d7a981a948c7b2e18aab0503

    SHA1

    0a72912a10eafb64e51fbe9e81c0dcd0cecc4ac0

    SHA256

    754556403cb1b4ed5e17bb05428f1dc4d1877ccc4821a7a113dfa0b64948822d

    SHA512

    7398b52ed5caebaa98dd0b08ab09a15bf5bb753da3fc331d03ebd49310370b022252346382339881f0b3ceabb982608c612dca2e3420d17d1642188b7e55c134

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c8873b10cf7f24b8ae1ae9257516d32e

    SHA1

    088c0a67d5434019f7f0c12ab018ad6367666e5d

    SHA256

    9bad17e4d3cde3797a5e4feefbe13d3f2d137ff38ec1dbdd33d32567d1254d86

    SHA512

    4a59e751c4296e8596c69e7c2dd1fc7554af98534b75087c6a5f9d4175c6edfc1f615e9f6286154cd47c2b6d96c9cf345e3fef40b7def9c56401926577927b97

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7e711fd9d32bf09a8b0299e7af70a8da

    SHA1

    b80507789155a417044b543f7535a161859860b3

    SHA256

    cb1b4ac17ca7d47beba08f1196548985bba3169cbc5aeb5d303f5ea1c6e4d58e

    SHA512

    12aafa3bcb26669f4bd924f611b17dbe203530f3600c1d1576ef4d18e4baa28b5ac024b03de9d8ab76f681345ad0499cb56d2ca106014bd0a8466da0eeffd9d1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    51d6cde88c444e62e13fd2a821d3cb41

    SHA1

    6d42058bfebb6ba6953ca1f4cdeda616bd2ae8dc

    SHA256

    662c0db8b28772ffae8f64d023e64c564f473be8d2ccf6f7e582417ad7e05b7d

    SHA512

    6c14268a569af87a645a6691fcf9e4d731986575e0d1a2a48e8d6b1f3d995096af09d5438a7bf74bd973a04c6a5d069d8d95483bb76aad727f678173462373e3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8c3d056a78d99493d1fb2d2a06f56da1

    SHA1

    a8bc48af920d7f1d61c41a34c38d6d555a4e86b3

    SHA256

    345ba01ac13ea48c10cf99ba58a2fc0007b5c788f61b9ba25313fe02aaddb488

    SHA512

    bdf1c7315c4745e0c4166b8cc77224aec1894360d9b02f7020f0e8c56f048baf3973663104e2e3230cd7321812a33c1f6919d6ce08fac77e18270e0caec75c4a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4ab4f093c7718a4b8da663ab1d246eef

    SHA1

    4d4e46c80316559787484ec4b6fa55692523e223

    SHA256

    041497005ba12d0550305a08413b58b3353155626e2c3de4264caa275845bbe7

    SHA512

    94b6f058338eca2ca3026b1a51f033aa3426b253116b0b2d6f26f6f3d819935cf5767cc628a179bd52721841efc51c11e098e9b20f9f09b2f59c034ba8608425

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    cfb3c40e1b803924ff2b8bfd2db98ef8

    SHA1

    3419ef727128006c7fb9b39585bd6e2d2ccc4c2e

    SHA256

    d2b455e6760d1389a769695da1c09891fba569518b30fa12de4a29c438f772d8

    SHA512

    0723784d97bcb5811213bd76b55ce9146083bf6a244fdfd74f1768711ea5bf2dd8e9cd9c343884d5c043dd89fc1ec0d3dfe9fbeb63d42be02e5f072f7262a454

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab6682.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar67B3.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • C:\Users\Admin\AppData\Local\uwumonster.exe
    Filesize

    63KB

    MD5

    222c2d239f4c8a1d73c736c9cc712807

    SHA1

    c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

    SHA256

    ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

    SHA512

    1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

    Download Submit

  • C:\Users\Admin\Desktop\How To Decrypt My Files.html
    Filesize

    639B

    MD5

    d2dbbc3383add4cbd9ba8e1e35872552

    SHA1

    020abbc821b2fe22c4b2a89d413d382e48770b6f

    SHA256

    5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

    SHA512

    bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

    Download Submit

  • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
    Filesize

    16B

    MD5

    fa4c32288e02e9af7c11efeede5ac423

    SHA1

    dfba78ee5e72b9b613365fcea4f48e7ddda25941

    SHA256

    44d8be36b726e85ebe160ee8770e1e1c1b7c676084c96fec08cb33bce785d96f

    SHA512

    1b4a145d6a29c8e04687282375e44ec17d944c98f231622660647633a2a5c2aaeca0cecfc93e510f1cb18a1561c56105b1c281340ae9f98145030e4bc65f1503

    Download Submit

  • memory/1624-0-0x0000000000A00000-0x0000000000A16000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1624-20-0x0000000001FD0000-0x0000000001FDC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1624-19-0x0000000001FC0000-0x0000000001FCC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1624-8-0x000000001B190000-0x000000001B210000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1624-7-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1624-6-0x000000001B190000-0x000000001B210000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1624-1-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1772-66-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1772-18-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1772-17-0x00000000002F0000-0x0000000000306000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2392-14-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2392-13-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2392-12-0x00000000008E0000-0x00000000008F6000-memory.dmp

    Filesize

    88KB

    Download