Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 03:38

General

  • Target

    385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe

  • Size

    1.5MB

  • MD5

    fcb52672d473cf136f8bfa03d3e60aa0

  • SHA1

    8398a8fa2c8b909d49b9e3d19a6417d96a8bc2e6

  • SHA256

    385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077

  • SHA512

    db161e6c1d8062eda2bac28844d097fb86697d9ecc0e811a70b3438537ff6ab9c07cb8a47085fb348e918a73be69c6eb3389049bce32c651d1ee6766a2e32273

  • SSDEEP

    24576:yFU+Ar0D+GNlhWwTzJEealEsmzbLaneJL09JI9FJavZBBVdB9+WxkePMKQ3pBXdn:Jp0yyWwPxpbouV/EPB58WCedQ5B2w6C5

Malware Config

Extracted

Family

xworm

C2

usr-internal.gl.at.ply.gg:36003

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    dllhost.exe

  • telegram

    https://api.telegram.org/bot7268230993:AAH2vZGQkcYKKsL-PgJE8FiLxJ6qFOIFXxw/sendMessage?chat_id=7213459827

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
    "C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:560
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\ProgramData\dllhost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1856
    • C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe
      "C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp" /SL5="$500F4,739062,190976,C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        PID:2796
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A1895B0E-E9AC-4B40-956C-AA77E2BBB663} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\ProgramData\dllhost.exe
      C:\ProgramData\dllhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\ProgramData\dllhost.exe
      C:\ProgramData\dllhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp

    Filesize

    1.5MB

    MD5

    5380849aba66bec4970ee80e31c7ae49

    SHA1

    88dbeaf07f97a6159bf28bb8bb7fc9365e8a2b05

    SHA256

    c0bf62c200297b1de58ebc284176121e94097dddf81ce5a860831d786c830d19

    SHA512

    4e49ccad558b24772f7e781eefe4a212d23a4dfe814f8f80efab7ab9b99bf1df1c6ac8db53a89a04e7246d7cf96bf229652550099a68a74202a31451271ded4c

  • C:\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\CheckBox.png

    Filesize

    7KB

    MD5

    abd301b0263b0e0cebdd71e4855ac7d3

    SHA1

    1e8480c3f3b47a5daa7cb1183b6a7a49998cda6e

    SHA256

    aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5

    SHA512

    b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b

  • C:\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\WizardImage.jpg

    Filesize

    62KB

    MD5

    b91658597f15d7f689c86f5a2e7824bd

    SHA1

    00da609aa0b39140b767a3bc2644433d64edbd71

    SHA256

    b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84

    SHA512

    00b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea

  • C:\Users\Admin\AppData\Local\Temp\is-PGV03.tmp\button.png

    Filesize

    12KB

    MD5

    51af4120d6d22b1126cc87a5143740ef

    SHA1

    1cb4e91e765537a72c9628056d29fbd6a7ce515c

    SHA256

    c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c

    SHA512

    2595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5QPQH47Y9H010IALBYB1.temp

    Filesize

    7KB

    MD5

    7cdf2b4d34da66f84accdaf9ea2206f5

    SHA1

    3954f86215839bbaaeb9c8d7556e44aed994e095

    SHA256

    5e77849482aca207db335cfac9d0745ea9332e8d9ac0548d56010d28b310f809

    SHA512

    f2f58b1bd1fc9d3f93e5f765be391d6f1d9d44873ade8c7e9c72295eb23d7361aa19234e9b6ae79fcab54e8a62c09304d8c15f4d9e362ed8f63c1a7dd5e00b1b

  • \Users\Admin\AppData\Local\Temp\1.exe

    Filesize

    61KB

    MD5

    fc66a6c50b60c8452850844a795c943f

    SHA1

    5c071198335dd337c8540b32e8ba1e805101733d

    SHA256

    5391282e3e5fa8fb0c1ffd4eae7082c3dcf8d3c64e622856e9659d40af3ef089

    SHA512

    f07c20404cda4f2e6fa6a3a229e29c82b778b445e3cb5c40580d1b14ebcfc0c9a3bd65f684e1d087cc57740476c50e8fec85eb37b23224e0bd0eacef924ea491

  • \Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe

    Filesize

    1.2MB

    MD5

    7c9be3d33bf8913f16b8d1762b05bd96

    SHA1

    a5f652e382e326ba8bdecf736b727304910c31f3

    SHA256

    a2c287f865ded8ddd825301616575079ea22757b943dafccf1ff9dabf1e67e2a

    SHA512

    bdbafcf544fad69e377a47246d7ab988b24fb181812b3c24350c7fa0c81a355d59886dfd4ae0279e6cc0d84434aa399e7d8a8e7d2508606f0bfccada42befa49

  • \Users\Admin\AppData\Local\Temp\is-PGV03.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • \Users\Admin\AppData\Local\Temp\is-PGV03.tmp\botva2.dll

    Filesize

    32KB

    MD5

    295832fa6400cb3407cfe84b06785531

    SHA1

    7068910c2e0ea7f4535c770517e29d9c2d2ee77b

    SHA256

    13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

    SHA512

    50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

  • \Users\Admin\AppData\Local\Temp\is-PGV03.tmp\get_hw_caps.dll

    Filesize

    76KB

    MD5

    2e35d2894df3b691dbd8e0d4f4c84efc

    SHA1

    d0fc14963e397d185e9f2d7dea1d07bc6308d5b9

    SHA256

    869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d

    SHA512

    29ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90

  • \Users\Admin\AppData\Local\Temp\is-PGV03.tmp\innocallback.dll

    Filesize

    63KB

    MD5

    1c55ae5ef9980e3b1028447da6105c75

    SHA1

    f85218e10e6aa23b2f5a3ed512895b437e41b45c

    SHA256

    6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

    SHA512

    1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

  • memory/2252-160-0x0000000000430000-0x0000000000438000-memory.dmp

    Filesize

    32KB

  • memory/2252-159-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

  • memory/2780-64-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

  • memory/2780-63-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

  • memory/2796-120-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

    Filesize

    84KB

  • memory/2796-186-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

    Filesize

    84KB

  • memory/2796-80-0x0000000007340000-0x000000000734D000-memory.dmp

    Filesize

    52KB

  • memory/2796-185-0x0000000007340000-0x000000000734D000-memory.dmp

    Filesize

    52KB

  • memory/2796-173-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

    Filesize

    84KB

  • memory/2796-172-0x0000000007340000-0x000000000734D000-memory.dmp

    Filesize

    52KB

  • memory/2796-171-0x0000000000400000-0x0000000000585000-memory.dmp

    Filesize

    1.5MB

  • memory/2936-54-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

    Filesize

    2.9MB

  • memory/2936-55-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

  • memory/3016-199-0x0000000000F80000-0x0000000000F96000-memory.dmp

    Filesize

    88KB

  • memory/3032-225-0x0000000000200000-0x0000000000216000-memory.dmp

    Filesize

    88KB

  • memory/3040-30-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

    Filesize

    4KB

  • memory/3040-178-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

    Filesize

    4KB

  • memory/3040-34-0x0000000001350000-0x0000000001366000-memory.dmp

    Filesize

    88KB

  • memory/3064-170-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/3064-31-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB