Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2024, 04:23

General

  • Target

    66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe

  • Size

    535KB

  • MD5

    11484da8db8f1bbeaff9b8b4b7387e7d

  • SHA1

    8604e6082a89f9731beba669de3520788dd70d6a

  • SHA256

    66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767

  • SHA512

    54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53

  • SSDEEP

    6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N

Malware Config

Extracted

Family

xworm

C2

your-purchasing.gl.at.ply.gg:35731

logo-active.gl.at.ply.gg:25835

Attributes
  • Install_directory

    %AppData%

  • install_file

    System.exe

Signatures

  • Detect Xworm Payload 7 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
    "C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2212
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2180
    • C:\Users\Admin\AppData\Local\Temp\abobus.exe
      "C:\Users\Admin\AppData\Local\Temp\abobus.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1851.tmp\1852.tmp\1853.bat C:\Users\Admin\AppData\Local\Temp\abobus.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2672
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2248
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:3068
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2504
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2860
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2892
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:1584
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:296
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:956
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:940
          • C:\Windows\system32\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:236
          • C:\Windows\system32\find.exe
            find /i "cs2.exe"
            4⤵
              PID:1736
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2436
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2412
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1824
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
            3⤵
            • Creates scheduled task(s)
            PID:1072
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {C2A4C280-7372-4544-8F2A-064F6BE3B2A5} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
        1⤵
          PID:2340
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2784
          • C:\Users\Admin\AppData\Roaming\System.exe
            C:\Users\Admin\AppData\Roaming\System.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            C:\Users\Admin\AppData\Roaming\svchost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:996
          • C:\Users\Admin\AppData\Roaming\System.exe
            C:\Users\Admin\AppData\Roaming\System.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1836

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1851.tmp\1852.tmp\1853.bat

          Filesize

          712B

          MD5

          1c6d570cacfeda450549313478b0c5e0

          SHA1

          c914ab0dadf9b782ffd47cf42305ec0b5228ffb5

          SHA256

          f60f30bb535beec466c0ccaee0fefa3d14efe9f5a52031206e1bbe3f64b26390

          SHA512

          f0203662b33ce4efdb2458fac762b3ab24e799d676ed2b79d75c32486861a3206e0558212ddd14a1bf60cf28ea84409868d79cd5f14333d391b68af16c4280a0

        • C:\Users\Admin\AppData\Local\Temp\System.exe

          Filesize

          65KB

          MD5

          d4195c5da221fd57c3fa82c51c73fc4d

          SHA1

          f253e51c33874bf1f7bd55f21122bdd77e4c4ea4

          SHA256

          a28a54a0a3b3d502c2f7aecf1f9109f61cfa822e0ccc1f3ef67250baa12d49db

          SHA512

          0af7e1cd86cd249d1ab8d170b47de0ee2669ea55537f56a6958560be74769b299a3f71ab717693689d9014e2187c70a6ca490e0f94d0c6f452a91924c96a766e

        • C:\Users\Admin\AppData\Local\Temp\abobus.exe

          Filesize

          122KB

          MD5

          588625ea18fb70571c443a739fa75bad

          SHA1

          9ce88840d71ea3f011595e22f13651df5cdaf971

          SHA256

          672e9ece4c044fe3c385d49bbc35b52c4348f170bb7de7963a9f1e709f8a089b

          SHA512

          917d9a54170cbce7238227207b386342f03be71fc5339b66713b63ed4584d1d972e491fffbe9cea5b2ed3c3b417409bf8da1672bb1711b5d2c93bacdb3c2cb33

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          66KB

          MD5

          a788becf083156d7fac2be10c6d08d4e

          SHA1

          4ff004a365b01bd590667baf797d906a927ca218

          SHA256

          6b129d4a5aa3cc91abc19dae5922f857282d4c37e7f23df626d9b9ca8f845061

          SHA512

          ac868aa2b3091a5eb1672fbb44aff879666d73753ef6e39ca8781759905064c594c265a2411b6dfde122b821fab2225c577d0de1a28606dd39b8318c5f0055d4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          2dd7c27b6911026eeaa6711ba0792e55

          SHA1

          50dafa736d08244eaffa07497be70e82c5bcbf0b

          SHA256

          4e5ad11cb2cfc1ca19041493b8eb91cb186cf75cad48e20ea81c7b4da7c5a78d

          SHA512

          dc07b8747b6daf96b679a61d45758a911f99d65214b039ea357666aa32674b4f81f6d2fa72956e2279ea933cce3c14ecf6681b0fdfdabcf0c9dd50ae2dcb3a28

        • memory/992-1-0x0000000000A70000-0x0000000000AFC000-memory.dmp

          Filesize

          560KB

        • memory/992-0-0x000007FEF51B3000-0x000007FEF51B4000-memory.dmp

          Filesize

          4KB

        • memory/996-80-0x0000000000B90000-0x0000000000BA6000-memory.dmp

          Filesize

          88KB

        • memory/1692-74-0x00000000013D0000-0x00000000013E6000-memory.dmp

          Filesize

          88KB

        • memory/1908-22-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

          Filesize

          9.9MB

        • memory/1908-69-0x000007FEF51B0000-0x000007FEF5B9C000-memory.dmp

          Filesize

          9.9MB

        • memory/1908-19-0x0000000001280000-0x0000000001296000-memory.dmp

          Filesize

          88KB

        • memory/2436-45-0x0000000002290000-0x0000000002298000-memory.dmp

          Filesize

          32KB

        • memory/2436-44-0x000000001B870000-0x000000001BB52000-memory.dmp

          Filesize

          2.9MB

        • memory/2576-33-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

          Filesize

          32KB

        • memory/2588-32-0x000000001B890000-0x000000001BB72000-memory.dmp

          Filesize

          2.9MB

        • memory/2784-77-0x0000000000800000-0x0000000000816000-memory.dmp

          Filesize

          88KB

        • memory/2796-17-0x0000000000E10000-0x0000000000E26000-memory.dmp

          Filesize

          88KB