Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    4s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2024, 04:23

General

  • Target

    66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe

  • Size

    535KB

  • MD5

    11484da8db8f1bbeaff9b8b4b7387e7d

  • SHA1

    8604e6082a89f9731beba669de3520788dd70d6a

  • SHA256

    66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767

  • SHA512

    54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53

  • SSDEEP

    6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N

Malware Config

Extracted

Family

xworm

C2

your-purchasing.gl.at.ply.gg:35731

logo-active.gl.at.ply.gg:25835

Attributes
  • Install_directory

    %AppData%

  • install_file

    System.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
    "C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4440
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3812
    • C:\Users\Admin\AppData\Local\Temp\abobus.exe
      "C:\Users\Admin\AppData\Local\Temp\abobus.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\38E2.tmp\38E3.tmp\38E4.bat C:\Users\Admin\AppData\Local\Temp\abobus.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4816
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:3364
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:4432
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:3868
          • C:\Windows\system32\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:216
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3604
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      e9b83f48f6d18a70a0204fc6927471ba

      SHA1

      b2122ea0ba394a320b53605bdc9991c14c87ec8e

      SHA256

      cfc12de174fffd850f98ddc488818e207c6c0f7e80685a6055665062b9f057a5

      SHA512

      32ca1b677be6c80696e2a053862ba21f361d4e58ec96dd77950e88a3be4ed18b5ce3dc7ed4702ce61b261e62cc3fcf42a1f45ef7dc25297cb53bdc6a30ada38c

    • C:\Users\Admin\AppData\Local\Temp\38E2.tmp\38E3.tmp\38E4.bat

      Filesize

      712B

      MD5

      1c6d570cacfeda450549313478b0c5e0

      SHA1

      c914ab0dadf9b782ffd47cf42305ec0b5228ffb5

      SHA256

      f60f30bb535beec466c0ccaee0fefa3d14efe9f5a52031206e1bbe3f64b26390

      SHA512

      f0203662b33ce4efdb2458fac762b3ab24e799d676ed2b79d75c32486861a3206e0558212ddd14a1bf60cf28ea84409868d79cd5f14333d391b68af16c4280a0

    • C:\Users\Admin\AppData\Local\Temp\System.exe

      Filesize

      65KB

      MD5

      d4195c5da221fd57c3fa82c51c73fc4d

      SHA1

      f253e51c33874bf1f7bd55f21122bdd77e4c4ea4

      SHA256

      a28a54a0a3b3d502c2f7aecf1f9109f61cfa822e0ccc1f3ef67250baa12d49db

      SHA512

      0af7e1cd86cd249d1ab8d170b47de0ee2669ea55537f56a6958560be74769b299a3f71ab717693689d9014e2187c70a6ca490e0f94d0c6f452a91924c96a766e

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsfeenkz.k4c.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\abobus.exe

      Filesize

      122KB

      MD5

      588625ea18fb70571c443a739fa75bad

      SHA1

      9ce88840d71ea3f011595e22f13651df5cdaf971

      SHA256

      672e9ece4c044fe3c385d49bbc35b52c4348f170bb7de7963a9f1e709f8a089b

      SHA512

      917d9a54170cbce7238227207b386342f03be71fc5339b66713b63ed4584d1d972e491fffbe9cea5b2ed3c3b417409bf8da1672bb1711b5d2c93bacdb3c2cb33

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe

      Filesize

      66KB

      MD5

      a788becf083156d7fac2be10c6d08d4e

      SHA1

      4ff004a365b01bd590667baf797d906a927ca218

      SHA256

      6b129d4a5aa3cc91abc19dae5922f857282d4c37e7f23df626d9b9ca8f845061

      SHA512

      ac868aa2b3091a5eb1672fbb44aff879666d73753ef6e39ca8781759905064c594c265a2411b6dfde122b821fab2225c577d0de1a28606dd39b8318c5f0055d4

    • memory/972-34-0x00007FFBFE3A0000-0x00007FFBFEE61000-memory.dmp

      Filesize

      10.8MB

    • memory/972-29-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

      Filesize

      88KB

    • memory/1848-0-0x0000000000B40000-0x0000000000BCC000-memory.dmp

      Filesize

      560KB

    • memory/1848-1-0x00007FFBFE3A3000-0x00007FFBFE3A5000-memory.dmp

      Filesize

      8KB

    • memory/3604-48-0x000001E667DB0000-0x000001E667DD2000-memory.dmp

      Filesize

      136KB

    • memory/4372-37-0x00007FFBFE3A0000-0x00007FFBFEE61000-memory.dmp

      Filesize

      10.8MB

    • memory/4372-32-0x0000000000BF0000-0x0000000000C06000-memory.dmp

      Filesize

      88KB