Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 04:23
Static task
static1
Behavioral task
behavioral1
Sample
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
Resource
win7-20240419-en
General
-
Target
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
-
Size
535KB
-
MD5
11484da8db8f1bbeaff9b8b4b7387e7d
-
SHA1
8604e6082a89f9731beba669de3520788dd70d6a
-
SHA256
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767
-
SHA512
54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53
-
SSDEEP
6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N
Malware Config
Extracted
xworm
your-purchasing.gl.at.ply.gg:35731
logo-active.gl.at.ply.gg:25835
-
Install_directory
%AppData%
-
install_file
System.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral2/files/0x0009000000023b15-7.dat family_xworm behavioral2/memory/972-29-0x0000000000AC0000-0x0000000000AD6000-memory.dmp family_xworm behavioral2/memory/4372-32-0x0000000000BF0000-0x0000000000C06000-memory.dmp family_xworm behavioral2/files/0x000a000000023b88-31.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3604 powershell.exe 4440 powershell.exe 3812 powershell.exe 876 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 972 System.exe 2620 abobus.exe 4372 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 4 IoCs
pid Process 3364 PING.EXE 4432 PING.EXE 3868 PING.EXE 216 PING.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4440 powershell.exe 3604 powershell.exe 4440 powershell.exe 3604 powershell.exe 3604 powershell.exe 4440 powershell.exe 3812 powershell.exe 3812 powershell.exe 876 powershell.exe 876 powershell.exe 3812 powershell.exe 876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 972 System.exe Token: SeDebugPrivilege 4372 svchost.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 3812 powershell.exe Token: SeDebugPrivilege 876 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1848 wrote to memory of 972 1848 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 83 PID 1848 wrote to memory of 972 1848 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 83 PID 1848 wrote to memory of 2620 1848 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 84 PID 1848 wrote to memory of 2620 1848 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 84 PID 1848 wrote to memory of 4372 1848 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 85 PID 1848 wrote to memory of 4372 1848 66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe 85 PID 2620 wrote to memory of 4968 2620 abobus.exe 87 PID 2620 wrote to memory of 4968 2620 abobus.exe 87 PID 4968 wrote to memory of 4816 4968 cmd.exe 88 PID 4968 wrote to memory of 4816 4968 cmd.exe 88 PID 4968 wrote to memory of 3364 4968 cmd.exe 89 PID 4968 wrote to memory of 3364 4968 cmd.exe 89 PID 4968 wrote to memory of 4432 4968 cmd.exe 93 PID 4968 wrote to memory of 4432 4968 cmd.exe 93 PID 4968 wrote to memory of 3868 4968 cmd.exe 97 PID 4968 wrote to memory of 3868 4968 cmd.exe 97 PID 4372 wrote to memory of 3604 4372 svchost.exe 98 PID 4372 wrote to memory of 3604 4372 svchost.exe 98 PID 972 wrote to memory of 4440 972 System.exe 99 PID 972 wrote to memory of 4440 972 System.exe 99 PID 972 wrote to memory of 3812 972 System.exe 102 PID 972 wrote to memory of 3812 972 System.exe 102 PID 4372 wrote to memory of 876 4372 svchost.exe 104 PID 4372 wrote to memory of 876 4372 svchost.exe 104 PID 4968 wrote to memory of 216 4968 cmd.exe 106 PID 4968 wrote to memory of 216 4968 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe"C:\Users\Admin\AppData\Local\Temp\66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\abobus.exe"C:\Users\Admin\AppData\Local\Temp\abobus.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\38E2.tmp\38E3.tmp\38E4.bat C:\Users\Admin\AppData\Local\Temp\abobus.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4816
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:3364
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:4432
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:3868
-
-
C:\Windows\system32\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5e9b83f48f6d18a70a0204fc6927471ba
SHA1b2122ea0ba394a320b53605bdc9991c14c87ec8e
SHA256cfc12de174fffd850f98ddc488818e207c6c0f7e80685a6055665062b9f057a5
SHA51232ca1b677be6c80696e2a053862ba21f361d4e58ec96dd77950e88a3be4ed18b5ce3dc7ed4702ce61b261e62cc3fcf42a1f45ef7dc25297cb53bdc6a30ada38c
-
Filesize
712B
MD51c6d570cacfeda450549313478b0c5e0
SHA1c914ab0dadf9b782ffd47cf42305ec0b5228ffb5
SHA256f60f30bb535beec466c0ccaee0fefa3d14efe9f5a52031206e1bbe3f64b26390
SHA512f0203662b33ce4efdb2458fac762b3ab24e799d676ed2b79d75c32486861a3206e0558212ddd14a1bf60cf28ea84409868d79cd5f14333d391b68af16c4280a0
-
Filesize
65KB
MD5d4195c5da221fd57c3fa82c51c73fc4d
SHA1f253e51c33874bf1f7bd55f21122bdd77e4c4ea4
SHA256a28a54a0a3b3d502c2f7aecf1f9109f61cfa822e0ccc1f3ef67250baa12d49db
SHA5120af7e1cd86cd249d1ab8d170b47de0ee2669ea55537f56a6958560be74769b299a3f71ab717693689d9014e2187c70a6ca490e0f94d0c6f452a91924c96a766e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
122KB
MD5588625ea18fb70571c443a739fa75bad
SHA19ce88840d71ea3f011595e22f13651df5cdaf971
SHA256672e9ece4c044fe3c385d49bbc35b52c4348f170bb7de7963a9f1e709f8a089b
SHA512917d9a54170cbce7238227207b386342f03be71fc5339b66713b63ed4584d1d972e491fffbe9cea5b2ed3c3b417409bf8da1672bb1711b5d2c93bacdb3c2cb33
-
Filesize
66KB
MD5a788becf083156d7fac2be10c6d08d4e
SHA14ff004a365b01bd590667baf797d906a927ca218
SHA2566b129d4a5aa3cc91abc19dae5922f857282d4c37e7f23df626d9b9ca8f845061
SHA512ac868aa2b3091a5eb1672fbb44aff879666d73753ef6e39ca8781759905064c594c265a2411b6dfde122b821fab2225c577d0de1a28606dd39b8318c5f0055d4