Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 12:38
Behavioral task
behavioral1
Sample
VicTweaks.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
General
-
Target
VicTweaks.exe
-
Size
153KB
-
MD5
f77f28c05650e81f23e8ca6659607b11
-
SHA1
eb7ece2f3515c2b402be5bc79967318ed4cdcb09
-
SHA256
e6f83dc04194dcd171ec918e9545b5f1ef71276b17ac03946e66e640eb37d9e6
-
SHA512
f0b47486f95b53e72605aeedd9d583408dffbb784cb618aaa3eec2726d1300488d186ba21f11403b91c2fa382bfb836fb7e286921b31e0a57425d8b9eeb59713
-
SSDEEP
3072:xrBuw2j46bqwXi/OiS71HBz65/M6If+3Js+3JFkKeTne:xebVnZHxBt25
Malware Config
Extracted
Family
xworm
C2
127.0.0.1:7000
12.0.0.0.1:7000
Attributes
-
Install_directory
%ProgramData%
-
install_file
VicToolsRuntime.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/3580-1-0x00000000001E0000-0x000000000020C000-memory.dmp family_xworm behavioral2/files/0x000b0000000233bc-27.dat family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VicToolsRuntime.lnk VicTweaks.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VicToolsRuntime.lnk VicTweaks.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 3580 VicTweaks.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 1808 mspaint.exe 1808 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3580 VicTweaks.exe Token: SeDebugPrivilege 3580 VicTweaks.exe Token: SeDebugPrivilege 4872 taskmgr.exe Token: SeSystemProfilePrivilege 4872 taskmgr.exe Token: SeCreateGlobalPrivilege 4872 taskmgr.exe Token: 33 4872 taskmgr.exe Token: SeIncBasePriorityPrivilege 4872 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe 4872 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 3580 VicTweaks.exe 1808 mspaint.exe 1808 mspaint.exe 1808 mspaint.exe 1808 mspaint.exe 2040 AcroRd32.exe 2040 AcroRd32.exe 2040 AcroRd32.exe 2040 AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VicTweaks.exe"C:\Users\Admin\AppData\Local\Temp\VicTweaks.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3580
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4872
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnpublishCompare.dib"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:3100
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5f77f28c05650e81f23e8ca6659607b11
SHA1eb7ece2f3515c2b402be5bc79967318ed4cdcb09
SHA256e6f83dc04194dcd171ec918e9545b5f1ef71276b17ac03946e66e640eb37d9e6
SHA512f0b47486f95b53e72605aeedd9d583408dffbb784cb618aaa3eec2726d1300488d186ba21f11403b91c2fa382bfb836fb7e286921b31e0a57425d8b9eeb59713
-
Filesize
712B
MD549b6a26b91cd72b8c8f764af81c9a5cf
SHA1de82760915d6dd69eb69da2760c2a2cc5edc0137
SHA2565e3b904b29779f49d4b15d5a92ee4ee5f6bb98705813951353f541872de51f49
SHA51260a7ff529c01724d385792e529740442eea8ef9631bca24195c231465fd78d35df7ecce634316152fe1dfb24257aaf425aea88879971c790330367454b7020c0