Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04/07/2024, 03:38
Static task
static1
Behavioral task
behavioral1
Sample
385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
Resource
win10v2004-20240611-en
General
-
Target
385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
-
Size
1.5MB
-
MD5
fcb52672d473cf136f8bfa03d3e60aa0
-
SHA1
8398a8fa2c8b909d49b9e3d19a6417d96a8bc2e6
-
SHA256
385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077
-
SHA512
db161e6c1d8062eda2bac28844d097fb86697d9ecc0e811a70b3438537ff6ab9c07cb8a47085fb348e918a73be69c6eb3389049bce32c651d1ee6766a2e32273
-
SSDEEP
24576:yFU+Ar0D+GNlhWwTzJEealEsmzbLaneJL09JI9FJavZBBVdB9+WxkePMKQ3pBXdn:Jp0yyWwPxpbouV/EPB58WCedQ5B2w6C5
Malware Config
Extracted
xworm
usr-internal.gl.at.ply.gg:36003
-
Install_directory
%ProgramData%
-
install_file
dllhost.exe
-
telegram
https://api.telegram.org/bot7268230993:AAH2vZGQkcYKKsL-PgJE8FiLxJ6qFOIFXxw/sendMessage?chat_id=7213459827
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x000e00000001226b-5.dat family_xworm behavioral1/memory/3040-34-0x0000000001350000-0x0000000001366000-memory.dmp family_xworm behavioral1/memory/3016-199-0x0000000000F80000-0x0000000000F96000-memory.dmp family_xworm behavioral1/memory/3032-225-0x0000000000200000-0x0000000000216000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2936 powershell.exe 2780 powershell.exe 2252 powershell.exe 560 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk 1.exe -
Executes dropped EXE 5 IoCs
pid Process 3040 1.exe 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 2796 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 3016 dllhost.exe 3032 dllhost.exe -
Loads dropped DLL 14 IoCs
pid Process 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 2796 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 2796 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 2796 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 2796 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 2796 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\dllhost.exe" 1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2936 powershell.exe 2780 powershell.exe 2252 powershell.exe 560 powershell.exe 3040 1.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3040 1.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 3040 1.exe Token: SeDebugPrivilege 3016 dllhost.exe Token: SeDebugPrivilege 3032 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3040 1.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2848 wrote to memory of 3040 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 28 PID 2848 wrote to memory of 3040 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 28 PID 2848 wrote to memory of 3040 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 28 PID 2848 wrote to memory of 3040 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 28 PID 2848 wrote to memory of 3064 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 29 PID 2848 wrote to memory of 3064 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 29 PID 2848 wrote to memory of 3064 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 29 PID 2848 wrote to memory of 3064 2848 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 29 PID 3064 wrote to memory of 2796 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 30 PID 3064 wrote to memory of 2796 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 30 PID 3064 wrote to memory of 2796 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 30 PID 3064 wrote to memory of 2796 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 30 PID 3064 wrote to memory of 2796 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 30 PID 3064 wrote to memory of 2796 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 30 PID 3064 wrote to memory of 2796 3064 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 30 PID 3040 wrote to memory of 2936 3040 1.exe 32 PID 3040 wrote to memory of 2936 3040 1.exe 32 PID 3040 wrote to memory of 2936 3040 1.exe 32 PID 3040 wrote to memory of 2780 3040 1.exe 34 PID 3040 wrote to memory of 2780 3040 1.exe 34 PID 3040 wrote to memory of 2780 3040 1.exe 34 PID 3040 wrote to memory of 2252 3040 1.exe 36 PID 3040 wrote to memory of 2252 3040 1.exe 36 PID 3040 wrote to memory of 2252 3040 1.exe 36 PID 3040 wrote to memory of 560 3040 1.exe 38 PID 3040 wrote to memory of 560 3040 1.exe 38 PID 3040 wrote to memory of 560 3040 1.exe 38 PID 3040 wrote to memory of 1856 3040 1.exe 40 PID 3040 wrote to memory of 1856 3040 1.exe 40 PID 3040 wrote to memory of 1856 3040 1.exe 40 PID 1580 wrote to memory of 3016 1580 taskeng.exe 45 PID 1580 wrote to memory of 3016 1580 taskeng.exe 45 PID 1580 wrote to memory of 3016 1580 taskeng.exe 45 PID 1580 wrote to memory of 3032 1580 taskeng.exe 46 PID 1580 wrote to memory of 3032 1580 taskeng.exe 46 PID 1580 wrote to memory of 3032 1580 taskeng.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe"C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\ProgramData\dllhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1856
-
-
-
C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp"C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp" /SL5="$500F4,739062,190976,C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2796
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A1895B0E-E9AC-4B40-956C-AA77E2BBB663} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\ProgramData\dllhost.exeC:\ProgramData\dllhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\ProgramData\dllhost.exeC:\ProgramData\dllhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-54SFT.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
Filesize1.5MB
MD55380849aba66bec4970ee80e31c7ae49
SHA188dbeaf07f97a6159bf28bb8bb7fc9365e8a2b05
SHA256c0bf62c200297b1de58ebc284176121e94097dddf81ce5a860831d786c830d19
SHA5124e49ccad558b24772f7e781eefe4a212d23a4dfe814f8f80efab7ab9b99bf1df1c6ac8db53a89a04e7246d7cf96bf229652550099a68a74202a31451271ded4c
-
Filesize
7KB
MD5abd301b0263b0e0cebdd71e4855ac7d3
SHA11e8480c3f3b47a5daa7cb1183b6a7a49998cda6e
SHA256aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5
SHA512b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b
-
Filesize
62KB
MD5b91658597f15d7f689c86f5a2e7824bd
SHA100da609aa0b39140b767a3bc2644433d64edbd71
SHA256b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84
SHA51200b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea
-
Filesize
12KB
MD551af4120d6d22b1126cc87a5143740ef
SHA11cb4e91e765537a72c9628056d29fbd6a7ce515c
SHA256c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c
SHA5122595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5QPQH47Y9H010IALBYB1.temp
Filesize7KB
MD57cdf2b4d34da66f84accdaf9ea2206f5
SHA13954f86215839bbaaeb9c8d7556e44aed994e095
SHA2565e77849482aca207db335cfac9d0745ea9332e8d9ac0548d56010d28b310f809
SHA512f2f58b1bd1fc9d3f93e5f765be391d6f1d9d44873ade8c7e9c72295eb23d7361aa19234e9b6ae79fcab54e8a62c09304d8c15f4d9e362ed8f63c1a7dd5e00b1b
-
Filesize
61KB
MD5fc66a6c50b60c8452850844a795c943f
SHA15c071198335dd337c8540b32e8ba1e805101733d
SHA2565391282e3e5fa8fb0c1ffd4eae7082c3dcf8d3c64e622856e9659d40af3ef089
SHA512f07c20404cda4f2e6fa6a3a229e29c82b778b445e3cb5c40580d1b14ebcfc0c9a3bd65f684e1d087cc57740476c50e8fec85eb37b23224e0bd0eacef924ea491
-
Filesize
1.2MB
MD57c9be3d33bf8913f16b8d1762b05bd96
SHA1a5f652e382e326ba8bdecf736b727304910c31f3
SHA256a2c287f865ded8ddd825301616575079ea22757b943dafccf1ff9dabf1e67e2a
SHA512bdbafcf544fad69e377a47246d7ab988b24fb181812b3c24350c7fa0c81a355d59886dfd4ae0279e6cc0d84434aa399e7d8a8e7d2508606f0bfccada42befa49
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
32KB
MD5295832fa6400cb3407cfe84b06785531
SHA17068910c2e0ea7f4535c770517e29d9c2d2ee77b
SHA25613e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784
SHA51250516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b
-
Filesize
76KB
MD52e35d2894df3b691dbd8e0d4f4c84efc
SHA1d0fc14963e397d185e9f2d7dea1d07bc6308d5b9
SHA256869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d
SHA51229ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90
-
Filesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b