Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 14:52
Behavioral task
behavioral1
Sample
SantosExecutorInstaller.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SantosExecutorInstaller.exe
Resource
win10v2004-20240508-en
General
-
Target
SantosExecutorInstaller.exe
-
Size
161KB
-
MD5
d8a8dc5751ec1e003029b24096414d84
-
SHA1
e5d475f57565aca29bf2111bb123434b66093d8d
-
SHA256
84ed4eecc481a190525ff964da9b2e17eb46b5cd6c45d2c602c5216099e91675
-
SHA512
02ae89407380a0adffb05a256e65c3330d4b67463835f43bf036a06398e6a0bcf9afc0724769862209e854fbe7d4c067563c2b26a970214341162b4ed489f41f
-
SSDEEP
3072:eZJHbIqVRWOnhzBz65/M6If+3Js+3JFkKeTnE:SJHbBxBt25
Malware Config
Extracted
xworm
introduction-specifications.gl.at.ply.gg:47117
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7098399942:AAGbBTQcHRRS0fdzPhkmgHxFxRybEnM_OnM
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2156-1-0x00000000012D0000-0x00000000012FE000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2680 powershell.exe 2900 powershell.exe 2548 powershell.exe 2480 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk SantosExecutorInstaller.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk SantosExecutorInstaller.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe" SantosExecutorInstaller.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2480 powershell.exe 2680 powershell.exe 2900 powershell.exe 2548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2156 SantosExecutorInstaller.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2156 SantosExecutorInstaller.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2480 2156 SantosExecutorInstaller.exe 29 PID 2156 wrote to memory of 2480 2156 SantosExecutorInstaller.exe 29 PID 2156 wrote to memory of 2480 2156 SantosExecutorInstaller.exe 29 PID 2156 wrote to memory of 2680 2156 SantosExecutorInstaller.exe 31 PID 2156 wrote to memory of 2680 2156 SantosExecutorInstaller.exe 31 PID 2156 wrote to memory of 2680 2156 SantosExecutorInstaller.exe 31 PID 2156 wrote to memory of 2900 2156 SantosExecutorInstaller.exe 33 PID 2156 wrote to memory of 2900 2156 SantosExecutorInstaller.exe 33 PID 2156 wrote to memory of 2900 2156 SantosExecutorInstaller.exe 33 PID 2156 wrote to memory of 2548 2156 SantosExecutorInstaller.exe 35 PID 2156 wrote to memory of 2548 2156 SantosExecutorInstaller.exe 35 PID 2156 wrote to memory of 2548 2156 SantosExecutorInstaller.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe"C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SantosExecutorInstaller.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51a2c23ab5e5a7a6b44e327ac079a2e5c
SHA15278e6eda3b8d115aeccf43fca489d03e00e6938
SHA2563d60145335bb025e4bb8487e82fdb5cb1c832f13532a0b55922e59df672b868c
SHA512411339f68bf5256281ce8aee3b99d68ca9d491206cadb230845ff69bd48f6c53e1fe4beb418c0a89a622ba29a7a23d1406f6709a65c216082f84c4abb1482a8a