Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
908s -
max time network
924s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 07:53
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Client.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Client.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Client.exe
Resource
win11-20240426-en
General
-
Target
Client.exe
-
Size
327KB
-
MD5
abba6345ea0fb09de3cded81bec289ef
-
SHA1
5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
-
SHA256
90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
-
SHA512
8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
-
SSDEEP
6144:i1YD5ubbPMBX+GIIIIIIIhIIIIIIIIIIIIIIIU:15kPMBY
Malware Config
Extracted
xworm
region-vip.gl.at.ply.gg:47649
increased-ted.gl.at.ply.gg:47649
-
Install_directory
%ProgramData%
-
install_file
Steam.exe
-
telegram
https://api.telegram.org/bot7186793142:AAGFJjLyhOIBEPcbCbAu3hrbmYsgQ5hzhf4/sendMessage?chat_id=5288662132
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral4/memory/5068-0-0x0000000000E40000-0x0000000000E98000-memory.dmp family_xworm behavioral4/files/0x000900000002326f-54.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1456 powershell.exe 3976 powershell.exe 1556 powershell.exe 4600 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 15 IoCs
pid Process 1792 Steam.exe 4760 Steam.exe 1212 Steam.exe 1152 Steam.exe 4824 Steam.exe 4504 Steam.exe 1504 Steam.exe 2464 Steam.exe 1612 Steam.exe 3752 Steam.exe 2812 Steam.exe 1216 Steam.exe 2412 Steam.exe 2124 Steam.exe 1244 Steam.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\ProgramData\\Steam.exe" Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1456 powershell.exe 1456 powershell.exe 3976 powershell.exe 3976 powershell.exe 1556 powershell.exe 1556 powershell.exe 4600 powershell.exe 4600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 5068 Client.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 4600 powershell.exe Token: SeDebugPrivilege 5068 Client.exe Token: SeDebugPrivilege 1792 Steam.exe Token: SeDebugPrivilege 4760 Steam.exe Token: SeDebugPrivilege 1212 Steam.exe Token: SeDebugPrivilege 1152 Steam.exe Token: SeDebugPrivilege 4824 Steam.exe Token: SeDebugPrivilege 4504 Steam.exe Token: SeDebugPrivilege 1504 Steam.exe Token: SeDebugPrivilege 2464 Steam.exe Token: SeDebugPrivilege 1612 Steam.exe Token: SeDebugPrivilege 3752 Steam.exe Token: SeDebugPrivilege 2812 Steam.exe Token: SeDebugPrivilege 1216 Steam.exe Token: SeDebugPrivilege 2412 Steam.exe Token: SeDebugPrivilege 2124 Steam.exe Token: SeDebugPrivilege 1244 Steam.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5068 wrote to memory of 1456 5068 Client.exe 83 PID 5068 wrote to memory of 1456 5068 Client.exe 83 PID 5068 wrote to memory of 3976 5068 Client.exe 85 PID 5068 wrote to memory of 3976 5068 Client.exe 85 PID 5068 wrote to memory of 1556 5068 Client.exe 87 PID 5068 wrote to memory of 1556 5068 Client.exe 87 PID 5068 wrote to memory of 4600 5068 Client.exe 89 PID 5068 wrote to memory of 4600 5068 Client.exe 89 PID 5068 wrote to memory of 4696 5068 Client.exe 91 PID 5068 wrote to memory of 4696 5068 Client.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Steam.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\ProgramData\Steam.exe"2⤵
- Creates scheduled task(s)
PID:4696
-
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD5abba6345ea0fb09de3cded81bec289ef
SHA15ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
SHA25690a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
SHA5128328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD58dac4777b9089771af95cf4dc23694a2
SHA19f3a7731544d03dd478508ef35006157095a6cea
SHA256d0ce909277782d4fee87ca55f35f42b4c2aac6375146314915138dbdc48857f1
SHA512746b78acde30253b4fe2ca55cbb061a9e08b7f8ccf3f2ef8bab18f173a9112b82f955a844d02e914e4ebaf43fdb7c9a2f7ecfc111cac669690fd3c6a6889a625
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82