Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 14:52

General

  • Target

    SantosExecutorInstaller.exe

  • Size

    161KB

  • MD5

    d8a8dc5751ec1e003029b24096414d84

  • SHA1

    e5d475f57565aca29bf2111bb123434b66093d8d

  • SHA256

    84ed4eecc481a190525ff964da9b2e17eb46b5cd6c45d2c602c5216099e91675

  • SHA512

    02ae89407380a0adffb05a256e65c3330d4b67463835f43bf036a06398e6a0bcf9afc0724769862209e854fbe7d4c067563c2b26a970214341162b4ed489f41f

  • SSDEEP

    3072:eZJHbIqVRWOnhzBz65/M6If+3Js+3JFkKeTnE:SJHbBxBt25

Malware Config

Extracted

Family

xworm

C2

introduction-specifications.gl.at.ply.gg:47117

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7098399942:AAGbBTQcHRRS0fdzPhkmgHxFxRybEnM_OnM

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SantosExecutorInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SantosExecutorInstaller.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1044
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4268,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
    1⤵
      PID:4508

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      dbb22d95851b93abf2afe8fb96a8e544

      SHA1

      920ec5fdb323537bcf78f7e29a4fc274e657f7a4

      SHA256

      e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

      SHA512

      16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      ce4540390cc4841c8973eb5a3e9f4f7d

      SHA1

      2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

      SHA256

      e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

      SHA512

      2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_unw2hcwi.huo.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/2388-8-0x000002640FB10000-0x000002640FB32000-memory.dmp

      Filesize

      136KB

    • memory/2388-10-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

      Filesize

      10.8MB

    • memory/2388-14-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

      Filesize

      10.8MB

    • memory/2388-15-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

      Filesize

      10.8MB

    • memory/2388-17-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

      Filesize

      10.8MB

    • memory/3236-0-0x00007FFCC2C33000-0x00007FFCC2C35000-memory.dmp

      Filesize

      8KB

    • memory/3236-2-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

      Filesize

      10.8MB

    • memory/3236-1-0x0000000000340000-0x000000000036E000-memory.dmp

      Filesize

      184KB

    • memory/3236-55-0x00007FFCC2C33000-0x00007FFCC2C35000-memory.dmp

      Filesize

      8KB

    • memory/3236-56-0x00007FFCC2C30000-0x00007FFCC36F1000-memory.dmp

      Filesize

      10.8MB