Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

проверка.rar

windows7-x64

10

проверка.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2024, 17:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    проверка.rar

  • Size

    67KB

  • MD5

    e89a677ddfa8a60aeb45e72531e46847

  • SHA1

    ae5f8093367716bf77003276f9886e6869fa9b19

  • SHA256

    0405ea85262008c736e2113f4fbfa1b9eadc1e59fea50737ed5edb4326f686a9

  • SHA512

    86d138e41045c77251d88e9a93649ce5591c3c743a026e8d68923b89c0a7e1b9adb04ffeb64869025c5599544dc03d815b9594392a2869e87753d80a7225796c

  • SSDEEP

    1536:gSQMWjVGooE2vo7Ugl77wYAMHWwHVBhxmnZPVA5H:dQGob2vKl5HHvJy2H

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:65468

speed-wheat.gl.at.ply.gg:65468

XWorm V5.2:123
Attributes
  • Install_directory

    %AppData%

  • install_file

    Delta.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\проверка.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\проверка.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2956
  • C:\Users\Admin\Desktop\проверка.exe
    "C:\Users\Admin\Desktop\проверка.exe"
    1⤵
    • Drops startup file
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\проверка.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:888
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2320
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {57585404-243D-4455-BA87-EADB3568486E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Users\Admin\AppData\Roaming\Delta.exe
      C:\Users\Admin\AppData\Roaming\Delta.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2416
    • C:\Users\Admin\AppData\Roaming\Delta.exe
      C:\Users\Admin\AppData\Roaming\Delta.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    790f9db32a0173294c7f605c6f929f2c

    SHA1

    4b9033bdba7247dbae89cec4592cbd671f67ca50

    SHA256

    5615102f3b66d382b953889186f6813295ef28e31082179c9a5cf9e9096901ee

    SHA512

    028237ccc284139547af8eda177e869f0f900b7a19c29ade7b57e57c19f545b1372b8ba7fb011626dbc064fd2ef80db027a392a5a6bb0e4a60514bb789befb68

    Download Submit

  • C:\Users\Admin\Desktop\проверка.exe
    Filesize

    98KB

    MD5

    69c00aa1f2cecc09093eec932c788209

    SHA1

    2bcdc2f36469087ec60acc0b6d3e47fde03d0f6c

    SHA256

    c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2

    SHA512

    8bc1e413998b4c6ff77798561097fbec6c5c52aec560a62c73025739157cf3dc4a06d3d645cc582eb88533166a2373f92dc3332084036966491b9934cc3ab214

    Download Submit

  • memory/2396-40-0x000000001B330000-0x000000001B612000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2396-41-0x0000000002460000-0x0000000002468000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2404-33-0x000000001B300000-0x000000001B5E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2404-34-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2416-60-0x0000000000F10000-0x0000000000F30000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2492-28-0x00000000003B0000-0x00000000003D0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2492-62-0x000000001A5B0000-0x000000001A5BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2492-63-0x000000001AC80000-0x000000001AC8A000-memory.dmp

    Filesize

    40KB

    Download