Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03/05/2024, 04:23
Static task
static1
Behavioral task
behavioral1
Sample
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
Resource
win7-20240419-en
General
-
Target
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
-
Size
535KB
-
MD5
11484da8db8f1bbeaff9b8b4b7387e7d
-
SHA1
8604e6082a89f9731beba669de3520788dd70d6a
-
SHA256
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767
-
SHA512
54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53
-
SSDEEP
6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N
Malware Config
Extracted
xworm
your-purchasing.gl.at.ply.gg:35731
logo-active.gl.at.ply.gg:25835
-
Install_directory
%AppData%
-
install_file
System.exe
Signatures
-
Detect Xworm Payload 7 IoCs
resource yara_rule behavioral1/files/0x000b00000001226e-5.dat family_xworm behavioral1/files/0x0008000000015c91-15.dat family_xworm behavioral1/memory/1908-19-0x0000000001280000-0x0000000001296000-memory.dmp family_xworm behavioral1/memory/2796-17-0x0000000000E10000-0x0000000000E26000-memory.dmp family_xworm behavioral1/memory/1692-74-0x00000000013D0000-0x00000000013E6000-memory.dmp family_xworm behavioral1/memory/2784-77-0x0000000000800000-0x0000000000816000-memory.dmp family_xworm behavioral1/memory/996-80-0x0000000000B90000-0x0000000000BA6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2588 powershell.exe 2436 powershell.exe 1012 powershell.exe 2412 powershell.exe 1412 powershell.exe 1824 powershell.exe 2212 powershell.exe 2576 powershell.exe -
Executes dropped EXE 7 IoCs
pid Process 1908 System.exe 1232 abobus.exe 2796 svchost.exe 1692 System.exe 2784 svchost.exe 996 svchost.exe 1836 System.exe -
Loads dropped DLL 2 IoCs
pid Process 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 2780 Process not Found -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Roaming\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1072 schtasks.exe 2180 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 236 tasklist.exe -
Runs ping.exe 1 TTPs 9 IoCs
pid Process 2860 PING.EXE 2892 PING.EXE 1584 PING.EXE 296 PING.EXE 940 PING.EXE 2248 PING.EXE 3068 PING.EXE 2504 PING.EXE 956 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2576 powershell.exe 2588 powershell.exe 2436 powershell.exe 1012 powershell.exe 2412 powershell.exe 1412 powershell.exe 2212 powershell.exe 1824 powershell.exe 1908 System.exe 2796 svchost.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1908 System.exe Token: SeDebugPrivilege 2796 svchost.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1412 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 1908 System.exe Token: SeDebugPrivilege 2796 svchost.exe Token: SeDebugPrivilege 236 tasklist.exe Token: SeDebugPrivilege 1692 System.exe Token: SeDebugPrivilege 2784 svchost.exe Token: SeDebugPrivilege 1836 System.exe Token: SeDebugPrivilege 996 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1908 System.exe 2796 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 992 wrote to memory of 1908 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 28 PID 992 wrote to memory of 1908 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 28 PID 992 wrote to memory of 1908 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 28 PID 992 wrote to memory of 1232 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 29 PID 992 wrote to memory of 1232 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 29 PID 992 wrote to memory of 1232 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 29 PID 992 wrote to memory of 2796 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 31 PID 992 wrote to memory of 2796 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 31 PID 992 wrote to memory of 2796 992 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 31 PID 1232 wrote to memory of 2788 1232 abobus.exe 32 PID 1232 wrote to memory of 2788 1232 abobus.exe 32 PID 1232 wrote to memory of 2788 1232 abobus.exe 32 PID 2788 wrote to memory of 2672 2788 cmd.exe 33 PID 2788 wrote to memory of 2672 2788 cmd.exe 33 PID 2788 wrote to memory of 2672 2788 cmd.exe 33 PID 2788 wrote to memory of 2248 2788 cmd.exe 34 PID 2788 wrote to memory of 2248 2788 cmd.exe 34 PID 2788 wrote to memory of 2248 2788 cmd.exe 34 PID 2788 wrote to memory of 3068 2788 cmd.exe 35 PID 2788 wrote to memory of 3068 2788 cmd.exe 35 PID 2788 wrote to memory of 3068 2788 cmd.exe 35 PID 2788 wrote to memory of 2504 2788 cmd.exe 36 PID 2788 wrote to memory of 2504 2788 cmd.exe 36 PID 2788 wrote to memory of 2504 2788 cmd.exe 36 PID 1908 wrote to memory of 2576 1908 System.exe 37 PID 1908 wrote to memory of 2576 1908 System.exe 37 PID 1908 wrote to memory of 2576 1908 System.exe 37 PID 2796 wrote to memory of 2588 2796 svchost.exe 38 PID 2796 wrote to memory of 2588 2796 svchost.exe 38 PID 2796 wrote to memory of 2588 2796 svchost.exe 38 PID 2788 wrote to memory of 2860 2788 cmd.exe 41 PID 2788 wrote to memory of 2860 2788 cmd.exe 41 PID 2788 wrote to memory of 2860 2788 cmd.exe 41 PID 2796 wrote to memory of 2436 2796 svchost.exe 42 PID 2796 wrote to memory of 2436 2796 svchost.exe 42 PID 2796 wrote to memory of 2436 2796 svchost.exe 42 PID 1908 wrote to memory of 1012 1908 System.exe 44 PID 1908 wrote to memory of 1012 1908 System.exe 44 PID 1908 wrote to memory of 1012 1908 System.exe 44 PID 2796 wrote to memory of 2412 2796 svchost.exe 46 PID 2796 wrote to memory of 2412 2796 svchost.exe 46 PID 2796 wrote to memory of 2412 2796 svchost.exe 46 PID 1908 wrote to memory of 1412 1908 System.exe 48 PID 1908 wrote to memory of 1412 1908 System.exe 48 PID 1908 wrote to memory of 1412 1908 System.exe 48 PID 1908 wrote to memory of 2212 1908 System.exe 50 PID 1908 wrote to memory of 2212 1908 System.exe 50 PID 1908 wrote to memory of 2212 1908 System.exe 50 PID 2796 wrote to memory of 1824 2796 svchost.exe 51 PID 2796 wrote to memory of 1824 2796 svchost.exe 51 PID 2796 wrote to memory of 1824 2796 svchost.exe 51 PID 2788 wrote to memory of 2892 2788 cmd.exe 54 PID 2788 wrote to memory of 2892 2788 cmd.exe 54 PID 2788 wrote to memory of 2892 2788 cmd.exe 54 PID 2788 wrote to memory of 1584 2788 cmd.exe 55 PID 2788 wrote to memory of 1584 2788 cmd.exe 55 PID 2788 wrote to memory of 1584 2788 cmd.exe 55 PID 2796 wrote to memory of 1072 2796 svchost.exe 56 PID 2796 wrote to memory of 1072 2796 svchost.exe 56 PID 2796 wrote to memory of 1072 2796 svchost.exe 56 PID 1908 wrote to memory of 2180 1908 System.exe 57 PID 1908 wrote to memory of 2180 1908 System.exe 57 PID 1908 wrote to memory of 2180 1908 System.exe 57 PID 2788 wrote to memory of 296 2788 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe"C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"3⤵
- Creates scheduled task(s)
PID:2180
-
-
-
C:\Users\Admin\AppData\Local\Temp\abobus.exe"C:\Users\Admin\AppData\Local\Temp\abobus.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1851.tmp\1852.tmp\1853.bat C:\Users\Admin\AppData\Local\Temp\abobus.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2672
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2248
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:3068
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2504
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2860
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2892
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:1584
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:296
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:956
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:940
-
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\system32\find.exefind /i "cs2.exe"4⤵PID:1736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Creates scheduled task(s)
PID:1072
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C2A4C280-7372-4544-8F2A-064F6BE3B2A5} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵PID:2340
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Users\Admin\AppData\Roaming\System.exeC:\Users\Admin\AppData\Roaming\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Users\Admin\AppData\Roaming\System.exeC:\Users\Admin\AppData\Roaming\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
712B
MD51c6d570cacfeda450549313478b0c5e0
SHA1c914ab0dadf9b782ffd47cf42305ec0b5228ffb5
SHA256f60f30bb535beec466c0ccaee0fefa3d14efe9f5a52031206e1bbe3f64b26390
SHA512f0203662b33ce4efdb2458fac762b3ab24e799d676ed2b79d75c32486861a3206e0558212ddd14a1bf60cf28ea84409868d79cd5f14333d391b68af16c4280a0
-
Filesize
65KB
MD5d4195c5da221fd57c3fa82c51c73fc4d
SHA1f253e51c33874bf1f7bd55f21122bdd77e4c4ea4
SHA256a28a54a0a3b3d502c2f7aecf1f9109f61cfa822e0ccc1f3ef67250baa12d49db
SHA5120af7e1cd86cd249d1ab8d170b47de0ee2669ea55537f56a6958560be74769b299a3f71ab717693689d9014e2187c70a6ca490e0f94d0c6f452a91924c96a766e
-
Filesize
122KB
MD5588625ea18fb70571c443a739fa75bad
SHA19ce88840d71ea3f011595e22f13651df5cdaf971
SHA256672e9ece4c044fe3c385d49bbc35b52c4348f170bb7de7963a9f1e709f8a089b
SHA512917d9a54170cbce7238227207b386342f03be71fc5339b66713b63ed4584d1d972e491fffbe9cea5b2ed3c3b417409bf8da1672bb1711b5d2c93bacdb3c2cb33
-
Filesize
66KB
MD5a788becf083156d7fac2be10c6d08d4e
SHA14ff004a365b01bd590667baf797d906a927ca218
SHA2566b129d4a5aa3cc91abc19dae5922f857282d4c37e7f23df626d9b9ca8f845061
SHA512ac868aa2b3091a5eb1672fbb44aff879666d73753ef6e39ca8781759905064c594c265a2411b6dfde122b821fab2225c577d0de1a28606dd39b8318c5f0055d4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52dd7c27b6911026eeaa6711ba0792e55
SHA150dafa736d08244eaffa07497be70e82c5bcbf0b
SHA2564e5ad11cb2cfc1ca19041493b8eb91cb186cf75cad48e20ea81c7b4da7c5a78d
SHA512dc07b8747b6daf96b679a61d45758a911f99d65214b039ea357666aa32674b4f81f6d2fa72956e2279ea933cce3c14ecf6681b0fdfdabcf0c9dd50ae2dcb3a28