Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

RTClauncher.exe

windows7-x64

10

RTClauncher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    182s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RTClauncher.exe

  • Size

    71KB

  • MD5

    231165d18b206622d9a6ca5e7423ed23

  • SHA1

    eace0d60252f83a5b234193b42be21777deabf38

  • SHA256

    da97185f21d365d1ab660c38be7012f46b612f5a17c42388f1141c513f1fe1cc

  • SHA512

    544c4d79ea9ff5afab128d346e8dab14f5472e3535d86fc27fcdbdc060ebf2c1f500bc89e67a98651981a97319da62287ab920d694f23c77ca6f9f2e15037d2d

  • SSDEEP

    1536:VEpK8l/D7uHwKHNIQbTpf9UBBywe6CVP44YOoKCohN64fUX8E:KpPvuQgIQbTpf9bVP4FOoKBNhcX8E

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

management-angle.gl.at.ply.gg:1309

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RTClauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RTClauncher.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RTClauncher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RTClauncher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Secure System'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Secure System'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Secure System" /tr "C:\Users\Admin\AppData\Roaming\Secure System"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:288
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {80490D20-B121-4249-9C2E-60F6E8C5A1BB} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
    1⤵
      PID:1924
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      74390fc846a7c2cc637a0531db5123f6

      SHA1

      813408dd5f35a61ccc243f75ce7a4d6498a2db4d

      SHA256

      468d4bffd886d66770647b61871d075afa76145242ddcb80300ca3e6bc8dc7dd

      SHA512

      74e435f2c5c66a66107071ba5f1870d5872bb017d7d929dcbe3939e455b47ce5e2e06f1ed5b2e43844fe4e034c9b4c0605a32697357f66b4696459c82e51a9c8

      Download Submit

    • memory/2320-1-0x00000000011B0000-0x00000000011C8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2320-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2320-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2320-33-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2320-32-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2320-31-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2568-35-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2568-36-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2568-37-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2568-38-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2620-15-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2620-14-0x000000001B5B0000-0x000000001B892000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2916-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2916-7-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

      Filesize

      2.9MB

      Download