Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 04:55
Behavioral task
behavioral1
Sample
WaveTrial.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
WaveTrial.exe
Resource
win10v2004-20240426-en
General
-
Target
WaveTrial.exe
-
Size
86KB
-
MD5
5cb8f4aa69339acc85ef9d2ca60b0c07
-
SHA1
bb12de5f0a59eda98ba82e4a81dd24d80b8d7844
-
SHA256
d8f968a5732220f35ab7094f13537d1d68405ed10362737848a87e5a71773e9d
-
SHA512
f8908f96cfff0498b977c2d790709cc02408068999f520a9727e3eff4e260092fd1c1b8fcf13d0cc217298f0e91a0b55fb30f88bba515fa08ed8b66465c07540
-
SSDEEP
1536:VVOy37Fk3kKmog7DldgQatSL4Jj6+l7lbOL5zWx1fRkTqP6nPbuE1ONz5UrQWSK0:ctmog7DjgfmmbO14CP3ONzCrQC0
Malware Config
Extracted
xworm
127.0.0.1:2619
20.ip.gl.ply.gg:2619
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/memory/2172-1-0x00000000002C0000-0x00000000002DC000-memory.dmp family_xworm behavioral1/files/0x0026000000015c0d-33.dat family_xworm behavioral1/memory/1964-35-0x00000000000A0000-0x00000000000BC000-memory.dmp family_xworm behavioral1/memory/2776-38-0x0000000001270000-0x000000000128C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2664 powershell.exe 2276 powershell.exe 2772 powershell.exe 2756 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveLauncher.lnk WaveTrial.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaveLauncher.lnk WaveTrial.exe -
Executes dropped EXE 2 IoCs
pid Process 1964 WaveLauncher 2776 WaveLauncher -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WaveLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\WaveLauncher" WaveTrial.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2276 powershell.exe 2772 powershell.exe 2756 powershell.exe 2664 powershell.exe 2172 WaveTrial.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2172 WaveTrial.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2172 WaveTrial.exe Token: SeDebugPrivilege 1964 WaveLauncher Token: SeDebugPrivilege 2776 WaveLauncher -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2172 WaveTrial.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2276 2172 WaveTrial.exe 28 PID 2172 wrote to memory of 2276 2172 WaveTrial.exe 28 PID 2172 wrote to memory of 2276 2172 WaveTrial.exe 28 PID 2172 wrote to memory of 2772 2172 WaveTrial.exe 30 PID 2172 wrote to memory of 2772 2172 WaveTrial.exe 30 PID 2172 wrote to memory of 2772 2172 WaveTrial.exe 30 PID 2172 wrote to memory of 2756 2172 WaveTrial.exe 32 PID 2172 wrote to memory of 2756 2172 WaveTrial.exe 32 PID 2172 wrote to memory of 2756 2172 WaveTrial.exe 32 PID 2172 wrote to memory of 2664 2172 WaveTrial.exe 34 PID 2172 wrote to memory of 2664 2172 WaveTrial.exe 34 PID 2172 wrote to memory of 2664 2172 WaveTrial.exe 34 PID 2172 wrote to memory of 3032 2172 WaveTrial.exe 36 PID 2172 wrote to memory of 3032 2172 WaveTrial.exe 36 PID 2172 wrote to memory of 3032 2172 WaveTrial.exe 36 PID 2024 wrote to memory of 1964 2024 taskeng.exe 42 PID 2024 wrote to memory of 1964 2024 taskeng.exe 42 PID 2024 wrote to memory of 1964 2024 taskeng.exe 42 PID 2024 wrote to memory of 2776 2024 taskeng.exe 43 PID 2024 wrote to memory of 2776 2024 taskeng.exe 43 PID 2024 wrote to memory of 2776 2024 taskeng.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WaveTrial.exe"C:\Users\Admin\AppData\Local\Temp\WaveTrial.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveTrial.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WaveTrial.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WaveLauncher'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WaveLauncher'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WaveLauncher" /tr "C:\Users\Admin\AppData\Roaming\WaveLauncher"2⤵
- Creates scheduled task(s)
PID:3032
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E58E6D2D-C23A-4C4C-8DE7-D65644813C8B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\WaveLauncherC:\Users\Admin\AppData\Roaming\WaveLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Users\Admin\AppData\Roaming\WaveLauncherC:\Users\Admin\AppData\Roaming\WaveLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51c79af53478cf007878e7b6ee72d295c
SHA1319113fa6df2ed41cccfd8947fa6d15990fde471
SHA256406494a001e1b360f25b255b0236c4a7c6488815b084732f2edb95214a025ecd
SHA512dd9310d6f2a03966c22179b645b37524c7f0d1743a54da18db650da7bd68f5158fa280c1bb166de7fb7088ac1f561fdae412e4382de44856a9bb0ee23e13e27b
-
Filesize
86KB
MD55cb8f4aa69339acc85ef9d2ca60b0c07
SHA1bb12de5f0a59eda98ba82e4a81dd24d80b8d7844
SHA256d8f968a5732220f35ab7094f13537d1d68405ed10362737848a87e5a71773e9d
SHA512f8908f96cfff0498b977c2d790709cc02408068999f520a9727e3eff4e260092fd1c1b8fcf13d0cc217298f0e91a0b55fb30f88bba515fa08ed8b66465c07540