Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 03:38
Static task
static1
Behavioral task
behavioral1
Sample
385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
Resource
win10v2004-20240611-en
General
-
Target
385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe
-
Size
1.5MB
-
MD5
fcb52672d473cf136f8bfa03d3e60aa0
-
SHA1
8398a8fa2c8b909d49b9e3d19a6417d96a8bc2e6
-
SHA256
385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077
-
SHA512
db161e6c1d8062eda2bac28844d097fb86697d9ecc0e811a70b3438537ff6ab9c07cb8a47085fb348e918a73be69c6eb3389049bce32c651d1ee6766a2e32273
-
SSDEEP
24576:yFU+Ar0D+GNlhWwTzJEealEsmzbLaneJL09JI9FJavZBBVdB9+WxkePMKQ3pBXdn:Jp0yyWwPxpbouV/EPB58WCedQ5B2w6C5
Malware Config
Extracted
xworm
usr-internal.gl.at.ply.gg:36003
-
Install_directory
%ProgramData%
-
install_file
dllhost.exe
-
telegram
https://api.telegram.org/bot7268230993:AAH2vZGQkcYKKsL-PgJE8FiLxJ6qFOIFXxw/sendMessage?chat_id=7213459827
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023461-6.dat family_xworm behavioral2/memory/4764-22-0x0000000000560000-0x0000000000576000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4444 powershell.exe 4304 powershell.exe 2952 powershell.exe 2996 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 1.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk 1.exe -
Executes dropped EXE 5 IoCs
pid Process 4764 1.exe 656 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 4252 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 3504 dllhost.exe 1244 dllhost.exe -
Loads dropped DLL 5 IoCs
pid Process 4252 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 4252 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 4252 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 4252 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 4252 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\dllhost.exe" 1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4444 powershell.exe 4444 powershell.exe 4444 powershell.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 2996 powershell.exe 2996 powershell.exe 2996 powershell.exe 4764 1.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4764 1.exe Token: SeDebugPrivilege 4444 powershell.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 4764 1.exe Token: SeDebugPrivilege 3504 dllhost.exe Token: SeDebugPrivilege 1244 dllhost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 656 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 4252 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp 4764 1.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2248 wrote to memory of 4764 2248 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 83 PID 2248 wrote to memory of 4764 2248 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 83 PID 2248 wrote to memory of 656 2248 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 85 PID 2248 wrote to memory of 656 2248 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 85 PID 2248 wrote to memory of 656 2248 385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe 85 PID 656 wrote to memory of 4252 656 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 86 PID 656 wrote to memory of 4252 656 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 86 PID 656 wrote to memory of 4252 656 [FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe 86 PID 4764 wrote to memory of 4444 4764 1.exe 95 PID 4764 wrote to memory of 4444 4764 1.exe 95 PID 4764 wrote to memory of 4304 4764 1.exe 97 PID 4764 wrote to memory of 4304 4764 1.exe 97 PID 4764 wrote to memory of 2952 4764 1.exe 99 PID 4764 wrote to memory of 2952 4764 1.exe 99 PID 4764 wrote to memory of 2996 4764 1.exe 101 PID 4764 wrote to memory of 2996 4764 1.exe 101 PID 4764 wrote to memory of 4844 4764 1.exe 104 PID 4764 wrote to memory of 4844 4764 1.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe"C:\Users\Admin\AppData\Local\Temp\385a7a04b7316e5dc330425132f315f466d82e6ccd979edde469d6f61c9e0077.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\ProgramData\dllhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4844
-
-
-
C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Users\Admin\AppData\Local\Temp\is-8B8E9.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp"C:\Users\Admin\AppData\Local\Temp\is-8B8E9.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp" /SL5="$B0042,739062,190976,C:\Users\Admin\AppData\Local\Temp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4252
-
-
-
C:\ProgramData\dllhost.exeC:\ProgramData\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
C:\ProgramData\dllhost.exeC:\ProgramData\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5731e9e4becec0b1ef9caad4b3562d4b4
SHA16dffb77aba4e92ad5bd4b7c02fdee6f328bcd457
SHA25671c7eca538938fa4d5b470fee41cfe43734e9beb9ae409d5b41111fa1a15c2d5
SHA512841cf559ae5b0feec4be43018717641399b3602a553112e98b07d498f1a44169924466abc7e2313b8e8cf1c0fdc1bb7635e2818aab8269b0ef349a0ba0cd6ae5
-
Filesize
944B
MD5ce4540390cc4841c8973eb5a3e9f4f7d
SHA12293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA5122a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b
-
Filesize
944B
MD5b4b6d4cc52b5a3a71149b1f33d94d5de
SHA197d3dbdd24919eab70e3b14c68797cefc07e90dd
SHA256da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe
SHA512fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af
-
Filesize
61KB
MD5fc66a6c50b60c8452850844a795c943f
SHA15c071198335dd337c8540b32e8ba1e805101733d
SHA2565391282e3e5fa8fb0c1ffd4eae7082c3dcf8d3c64e622856e9659d40af3ef089
SHA512f07c20404cda4f2e6fa6a3a229e29c82b778b445e3cb5c40580d1b14ebcfc0c9a3bd65f684e1d087cc57740476c50e8fec85eb37b23224e0bd0eacef924ea491
-
Filesize
1.2MB
MD57c9be3d33bf8913f16b8d1762b05bd96
SHA1a5f652e382e326ba8bdecf736b727304910c31f3
SHA256a2c287f865ded8ddd825301616575079ea22757b943dafccf1ff9dabf1e67e2a
SHA512bdbafcf544fad69e377a47246d7ab988b24fb181812b3c24350c7fa0c81a355d59886dfd4ae0279e6cc0d84434aa399e7d8a8e7d2508606f0bfccada42befa49
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\is-8B8E9.tmp\[FreeTP.Org]Pummel-Party-Multiplayer-Fix-Online-v8.tmp
Filesize1.5MB
MD55380849aba66bec4970ee80e31c7ae49
SHA188dbeaf07f97a6159bf28bb8bb7fc9365e8a2b05
SHA256c0bf62c200297b1de58ebc284176121e94097dddf81ce5a860831d786c830d19
SHA5124e49ccad558b24772f7e781eefe4a212d23a4dfe814f8f80efab7ab9b99bf1df1c6ac8db53a89a04e7246d7cf96bf229652550099a68a74202a31451271ded4c
-
Filesize
7KB
MD5abd301b0263b0e0cebdd71e4855ac7d3
SHA11e8480c3f3b47a5daa7cb1183b6a7a49998cda6e
SHA256aff003e75bbf410ed2f7ca8728afe01ab4a517536647ad20109d00c4adf570d5
SHA512b5abb188bd23d7fc2e3253a5639cc3eba6d21774dba55b43395cf84ddb49fe707ad54dc0a7f157e6b0804c1662d9c4cb4bef2787aafb194ea73fbebd1a63bb6b
-
Filesize
62KB
MD5b91658597f15d7f689c86f5a2e7824bd
SHA100da609aa0b39140b767a3bc2644433d64edbd71
SHA256b3cda6ab45ad5aa6a0a5f700d2c8987b3c1c1ebda63165d9bd5a566b24dcbd84
SHA51200b287fb14b947edf4b16d52243e9a992595d8894e83d8590473103d1b54a4670b323db13c4f78234617c44f905baf517e68fcceaad313f3ea7cd44cf036daea
-
Filesize
32KB
MD5295832fa6400cb3407cfe84b06785531
SHA17068910c2e0ea7f4535c770517e29d9c2d2ee77b
SHA25613e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784
SHA51250516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b
-
Filesize
12KB
MD551af4120d6d22b1126cc87a5143740ef
SHA11cb4e91e765537a72c9628056d29fbd6a7ce515c
SHA256c74fed62141f7e666379a0b00d5b39c86975332cf08151cbe8cab88eff2c393c
SHA5122595be954684ca34bc9284337524a5191c72fbea46b59555a5113ed8404a1e7ab6c2aa0f5a975f832cccdd8934ff1140c679ecd940f31cc14b4c3a362a225cbc
-
Filesize
76KB
MD52e35d2894df3b691dbd8e0d4f4c84efc
SHA1d0fc14963e397d185e9f2d7dea1d07bc6308d5b9
SHA256869079ba362cbc560d673db290248ec2aa075a74f22a82d90621f1118f8e1c4d
SHA51229ba662ab2e77aef0547ff76213a1b6ef52be27a446923790a27cf8b69377621048387dbb9f22001b6d15837dddada84c7350614ec9622258319658822705f90
-
Filesize
63KB
MD51c55ae5ef9980e3b1028447da6105c75
SHA1f85218e10e6aa23b2f5a3ed512895b437e41b45c
SHA2566afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
SHA5121ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b