Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
928s -
max time network
930s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/05/2024, 07:53
Behavioral task
behavioral1
Sample
Client.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Client.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Client.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Client.exe
Resource
win11-20240426-en
General
-
Target
Client.exe
-
Size
327KB
-
MD5
abba6345ea0fb09de3cded81bec289ef
-
SHA1
5ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
-
SHA256
90a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
-
SHA512
8328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
-
SSDEEP
6144:i1YD5ubbPMBX+GIIIIIIIhIIIIIIIIIIIIIIIU:15kPMBY
Malware Config
Extracted
xworm
region-vip.gl.at.ply.gg:47649
increased-ted.gl.at.ply.gg:47649
-
Install_directory
%ProgramData%
-
install_file
Steam.exe
-
telegram
https://api.telegram.org/bot7186793142:AAGFJjLyhOIBEPcbCbAu3hrbmYsgQ5hzhf4/sendMessage?chat_id=5288662132
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral5/memory/1340-1-0x0000000000F70000-0x0000000000FC8000-memory.dmp family_xworm behavioral5/files/0x000700000002a9c1-53.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3112 powershell.exe 2568 powershell.exe 5048 powershell.exe 4432 powershell.exe -
Executes dropped EXE 15 IoCs
pid Process 2844 Steam.exe 5044 Steam.exe 4156 Steam.exe 4944 Steam.exe 736 Steam.exe 4868 Steam.exe 4000 Steam.exe 4720 Steam.exe 556 Steam.exe 5096 Steam.exe 1728 Steam.exe 1440 Steam.exe 4988 Steam.exe 2472 Steam.exe 3692 Steam.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\ProgramData\\Steam.exe" Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2356 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3112 powershell.exe 3112 powershell.exe 2568 powershell.exe 2568 powershell.exe 5048 powershell.exe 5048 powershell.exe 4432 powershell.exe 4432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1340 Client.exe Token: SeDebugPrivilege 3112 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeDebugPrivilege 1340 Client.exe Token: SeDebugPrivilege 2844 Steam.exe Token: SeDebugPrivilege 5044 Steam.exe Token: SeDebugPrivilege 4156 Steam.exe Token: SeDebugPrivilege 4944 Steam.exe Token: SeDebugPrivilege 736 Steam.exe Token: SeDebugPrivilege 4868 Steam.exe Token: SeDebugPrivilege 4000 Steam.exe Token: SeDebugPrivilege 4720 Steam.exe Token: SeDebugPrivilege 556 Steam.exe Token: SeDebugPrivilege 5096 Steam.exe Token: SeDebugPrivilege 1728 Steam.exe Token: SeDebugPrivilege 1440 Steam.exe Token: SeDebugPrivilege 4988 Steam.exe Token: SeDebugPrivilege 2472 Steam.exe Token: SeDebugPrivilege 3692 Steam.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1340 wrote to memory of 3112 1340 Client.exe 82 PID 1340 wrote to memory of 3112 1340 Client.exe 82 PID 1340 wrote to memory of 2568 1340 Client.exe 84 PID 1340 wrote to memory of 2568 1340 Client.exe 84 PID 1340 wrote to memory of 5048 1340 Client.exe 86 PID 1340 wrote to memory of 5048 1340 Client.exe 86 PID 1340 wrote to memory of 4432 1340 Client.exe 88 PID 1340 wrote to memory of 4432 1340 Client.exe 88 PID 1340 wrote to memory of 2356 1340 Client.exe 90 PID 1340 wrote to memory of 2356 1340 Client.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Steam.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\ProgramData\Steam.exe"2⤵
- Creates scheduled task(s)
PID:2356
-
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:736
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:556
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
C:\ProgramData\Steam.exeC:\ProgramData\Steam.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD5abba6345ea0fb09de3cded81bec289ef
SHA15ddf3b0d56f3dbd742b6473ab22b58a74730a4e0
SHA25690a1939a03a4c6a0cd4fa491f106e96597faf34110bc58e013f1604bad88d4a3
SHA5128328b290d8d695e9a244bdbb782aafc48cf36f82c0cb3810c185d9c3468262e57dc30b249a5bf27d18e9db5ca97bd5a7a0081764ee7bfbabf621850c19624e4e
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5aa4f31835d07347297d35862c9045f4a
SHA183e728008935d30f98e5480fba4fbccf10cefb05
SHA25699c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629
-
Filesize
944B
MD54c6ea4a0e466343fe80aff374d0ce234
SHA1de0688130d88bba62d6f153824a7c7e58e7ad759
SHA2560697cbd5fb05047aba58bcb91a3a23d7720b6390b0324ed10b03ec77e9b07c3a
SHA512d29da0fc8c9d95a7eb00730efb4e318b6dd0ffc56d047b583a5ee5543e9ac642b0b5e6ca4adbb84c3aadebbd585a7bebbec3e3f870821543dba1e8455a1eb90f
-
Filesize
944B
MD54914eb0b2ff51bfa48484b5cc8454218
SHA16a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA2567e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA51283ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82