Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 14:52

General

  • Target

    SantosExecutorInstaller.exe

  • Size

    161KB

  • MD5

    d8a8dc5751ec1e003029b24096414d84

  • SHA1

    e5d475f57565aca29bf2111bb123434b66093d8d

  • SHA256

    84ed4eecc481a190525ff964da9b2e17eb46b5cd6c45d2c602c5216099e91675

  • SHA512

    02ae89407380a0adffb05a256e65c3330d4b67463835f43bf036a06398e6a0bcf9afc0724769862209e854fbe7d4c067563c2b26a970214341162b4ed489f41f

  • SSDEEP

    3072:eZJHbIqVRWOnhzBz65/M6If+3Js+3JFkKeTnE:SJHbBxBt25

Malware Config

Extracted

Family

xworm

C2

introduction-specifications.gl.at.ply.gg:47117

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7098399942:AAGbBTQcHRRS0fdzPhkmgHxFxRybEnM_OnM

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SantosExecutorInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    1a2c23ab5e5a7a6b44e327ac079a2e5c

    SHA1

    5278e6eda3b8d115aeccf43fca489d03e00e6938

    SHA256

    3d60145335bb025e4bb8487e82fdb5cb1c832f13532a0b55922e59df672b868c

    SHA512

    411339f68bf5256281ce8aee3b99d68ca9d491206cadb230845ff69bd48f6c53e1fe4beb418c0a89a622ba29a7a23d1406f6709a65c216082f84c4abb1482a8a

  • memory/2156-0-0x000007FEF5843000-0x000007FEF5844000-memory.dmp

    Filesize

    4KB

  • memory/2156-1-0x00000000012D0000-0x00000000012FE000-memory.dmp

    Filesize

    184KB

  • memory/2156-2-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

    Filesize

    9.9MB

  • memory/2156-33-0x000007FEF5843000-0x000007FEF5844000-memory.dmp

    Filesize

    4KB

  • memory/2156-34-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

    Filesize

    9.9MB

  • memory/2480-7-0x0000000002C50000-0x0000000002CD0000-memory.dmp

    Filesize

    512KB

  • memory/2480-8-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

  • memory/2480-9-0x00000000026E0000-0x00000000026E8000-memory.dmp

    Filesize

    32KB

  • memory/2680-15-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

  • memory/2680-16-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

    Filesize

    32KB