Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2024, 03:38

General

  • Target

    385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe

  • Size

    1.5MB

  • MD5

    fcb52672d473cf136f8bfa03d3e60aa0

  • SHA1

    8398a8fa2c8b909d49b9e3d19a6417d96a8bc2e6

  • SHA256

    385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077

  • SHA512

    db161e6c1d8062eda2bac28844d097fb86697d9ecc0e811a70b3438537ff6ab9c07cb8a47085fb348e918a73be69c6eb3389049bce32c651d1ee6766a2e32273

  • SSDEEP

    24576:yFU+Ar0D+GNlhWwTzJEealEsmzbLaneJL09JI9FJavZBBVdB9+WxkePMKQ3pBXdn:Jp0yyWwPxpbouV/EPB58WCedQ5B2w6C5

Malware Config

Extracted

Family

xworm

C2

usr-internal.gl.at.ply.gg:36003

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    dllhost.exe

  • telegram

    https://api.telegram.org/bot7268230993:AAH2vZGQkcYKKsL-PgJE8FiLxJ6qFOIFXxw/sendMessage?chat_id=7213459827

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
    "C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4304
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2996
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\ProgramData\dllhost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4844
    • C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe
      "C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Users\Admin\AppData\Local\Temp\is-8B8E9.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-8B8E9.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp" /SL5="$B0042,739062,190976,C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious use of SetWindowsHookEx
        PID:4252
  • C:\ProgramData\dllhost.exe
    C:\ProgramData\dllhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3504
  • C:\ProgramData\dllhost.exe
    C:\ProgramData\dllhost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    731e9e4becec0b1ef9caad4b3562d4b4

    SHA1

    6dffb77aba4e92ad5bd4b7c02fdee6f328bcd457

    SHA256

    71c7eca538938fa4d5b470fee41cfe43734e9beb9ae409d5b41111fa1a15c2d5

    SHA512

    841cf559ae5b0feec4be43018717641399b3602a553112e98b07d498f1a44169924466abc7e2313b8e8cf1c0fdc1bb7635e2818aab8269b0ef349a0ba0cd6ae5

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    ce4540390cc4841c8973eb5a3e9f4f7d

    SHA1

    2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

    SHA256

    e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

    SHA512

    2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    b4b6d4cc52b5a3a71149b1f33d94d5de

    SHA1

    97d3dbdd24919eab70e3b14c68797cefc07e90dd

    SHA256

    da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

    SHA512

    fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

  • C:\Users\Admin\AppData\Local\Temp\1.exe

    Filesize

    61KB

    MD5

    fc66a6c50b60c8452850844a795c943f

    SHA1

    5c071198335dd337c8540b32e8ba1e805101733d

    SHA256

    5391282e3e5fa8fb0c1ffd4eae7082c3dcf8d3c64e622856e9659d40af3ef089

    SHA512

    f07c20404cda4f2e6fa6a3a229e29c82b778b445e3cb5c40580d1b14ebcfc0c9a3bd65f684e1d087cc57740476c50e8fec85eb37b23224e0bd0eacef924ea491

  • C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe

    Filesize

    1.2MB

    MD5

    7c9be3d33bf8913f16b8d1762b05bd96

    SHA1

    a5f652e382e326ba8bdecf736b727304910c31f3

    SHA256

    a2c287f865ded8ddd825301616575079ea22757b943dafccf1ff9dabf1e67e2a

    SHA512

    bdbafcf544fad69e377a47246d7ab988b24fb181812b3c24350c7fa0c81a355d59886dfd4ae0279e6cc0d84434aa399e7d8a8e7d2508606f0bfccada42befa49

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hw3xebxh.3lw.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\is-8B8E9.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp

    Filesize

    1.5MB

    MD5

    5380849aba66bec4970ee80e31c7ae49

    SHA1

    88dbeaf07f97a6159bf28bb8bb7fc9365e8a2b05

    SHA256

    c0bf62c200297b1de58ebc284176121e94097dddf81ce5a860831d786c830d19

    SHA512

    4e49ccad558b24772f7e781eefe4a212d23a4dfe814f8f80efab7ab9b99bf1df1c6ac8db53a89a04e7246d7cf96bf229652550099a68a74202a31451271ded4c

  • C:\Users\Admin\AppData\Local\Temp\is-8D2QE.tmp\CheckBox.png

    Filesize

    7KB

    MD5

    abd301b0263b0e0cebdd71e4855ac7d3

    SHA1

    1e8480c3f3b47a5daa7cb1183b6a7a49998cda6e

    SHA256

    aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5

    SHA512

    b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b

  • C:\Users\Admin\AppData\Local\Temp\is-8D2QE.tmp\WizardImage.jpg

    Filesize

    62KB

    MD5

    b91658597f15d7f689c86f5a2e7824bd

    SHA1

    00da609aa0b39140b767a3bc2644433d64edbd71

    SHA256

    b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84

    SHA512

    00b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea

  • C:\Users\Admin\AppData\Local\Temp\is-8D2QE.tmp\botva2.dll

    Filesize

    32KB

    MD5

    295832fa6400cb3407cfe84b06785531

    SHA1

    7068910c2e0ea7f4535c770517e29d9c2d2ee77b

    SHA256

    13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

    SHA512

    50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

  • C:\Users\Admin\AppData\Local\Temp\is-8D2QE.tmp\button.png

    Filesize

    12KB

    MD5

    51af4120d6d22b1126cc87a5143740ef

    SHA1

    1cb4e91e765537a72c9628056d29fbd6a7ce515c

    SHA256

    c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c

    SHA512

    2595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc

  • C:\Users\Admin\AppData\Local\Temp\is-8D2QE.tmp\get_hw_caps.dll

    Filesize

    76KB

    MD5

    2e35d2894df3b691dbd8e0d4f4c84efc

    SHA1

    d0fc14963e397d185e9f2d7dea1d07bc6308d5b9

    SHA256

    869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d

    SHA512

    29ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90

  • C:\Users\Admin\AppData\Local\Temp\is-8D2QE.tmp\innocallback.dll

    Filesize

    63KB

    MD5

    1c55ae5ef9980e3b1028447da6105c75

    SHA1

    f85218e10e6aa23b2f5a3ed512895b437e41b45c

    SHA256

    6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

    SHA512

    1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

  • memory/656-189-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/656-28-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

  • memory/656-26-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/4252-151-0x0000000005E80000-0x0000000005E95000-memory.dmp

    Filesize

    84KB

  • memory/4252-108-0x00000000035C0000-0x00000000035CD000-memory.dmp

    Filesize

    52KB

  • memory/4252-191-0x00000000035C0000-0x00000000035CD000-memory.dmp

    Filesize

    52KB

  • memory/4252-192-0x0000000005E80000-0x0000000005E95000-memory.dmp

    Filesize

    84KB

  • memory/4252-190-0x0000000000400000-0x0000000000585000-memory.dmp

    Filesize

    1.5MB

  • memory/4252-201-0x00000000035C0000-0x00000000035CD000-memory.dmp

    Filesize

    52KB

  • memory/4252-202-0x0000000005E80000-0x0000000005E95000-memory.dmp

    Filesize

    84KB

  • memory/4444-52-0x00000232B3EB0000-0x00000232B3ED2000-memory.dmp

    Filesize

    136KB

  • memory/4764-22-0x0000000000560000-0x0000000000576000-memory.dmp

    Filesize

    88KB

  • memory/4764-42-0x000000001B410000-0x000000001B420000-memory.dmp

    Filesize

    64KB

  • memory/4764-193-0x00007FF85B2C3000-0x00007FF85B2C5000-memory.dmp

    Filesize

    8KB

  • memory/4764-198-0x000000001B410000-0x000000001B420000-memory.dmp

    Filesize

    64KB

  • memory/4764-21-0x00007FF85B2C3000-0x00007FF85B2C5000-memory.dmp

    Filesize

    8KB