Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

WindowsHea...ct.exe

windows7-x64

10

WindowsHea...ct.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WindowsHealthProtect.exe

  • Size

    157KB

  • MD5

    867bd1a3adb00960ae067e0a78eb8169

  • SHA1

    7ab2c2bbdd6dc7c8ae9fbbaad09a323e28865371

  • SHA256

    324a08c32241c38030bd495b74411382b6694dcf74cf66caff1d15b6b2370c08

  • SHA512

    5937cd0f869da3f00095319ca53f15bc924f512895676b33f9085a0ef21b5f7e5d33acafc7e47b4039f543980f73dc5a92bee19556b14588e524b9137e4c3c19

  • SSDEEP

    3072:MCaHVqFw9CwOCVJ4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvV:Hw9/gVqwlL

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:6004

is-eminem.gl.at.ply.gg:6004

88.168.211.65:6004
Mutex

bUdXY3BrQxasTJsJ

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsHealthProtect.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowsHealthProtect.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsHealthProtect.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WindowsHealthProtect.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsHealthProtect.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsHealthProtect.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsHealthProtect.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsHealthProtect" /tr "C:\ProgramData\WindowsHealthProtect.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2112
    • C:\Windows\system32\CMD.EXE
      "CMD.EXE"
      2⤵
        PID:2892
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {672DB3B9-F90F-4E5C-8CE2-BE671854D492} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\ProgramData\WindowsHealthProtect.exe
        C:\ProgramData\WindowsHealthProtect.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1540
      • C:\ProgramData\WindowsHealthProtect.exe
        C:\ProgramData\WindowsHealthProtect.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2376

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WindowsHealthProtect.exe
      Filesize

      157KB

      MD5

      867bd1a3adb00960ae067e0a78eb8169

      SHA1

      7ab2c2bbdd6dc7c8ae9fbbaad09a323e28865371

      SHA256

      324a08c32241c38030bd495b74411382b6694dcf74cf66caff1d15b6b2370c08

      SHA512

      5937cd0f869da3f00095319ca53f15bc924f512895676b33f9085a0ef21b5f7e5d33acafc7e47b4039f543980f73dc5a92bee19556b14588e524b9137e4c3c19

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9700600368351a70f775d06ec52f25df

      SHA1

      4ff9c13b1dc7fd67e3f4d24ed389999397c08a70

      SHA256

      4d5ed5801ea2cd54ca8bc181d124dc46e885c9b35148222a05859d53d2daf1c4

      SHA512

      6c83f12046130e60ac769e2ff4595769d7802e86719491774646d6f564b7bbd44de327258b1c23137c7165d41df898b27be5284b5fbbef3a750f71fc8bc4dc87

      Download Submit

    • memory/904-31-0x0000000002150000-0x000000000215C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/904-1-0x00000000001A0000-0x00000000001CE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/904-37-0x000000001A6F0000-0x000000001A6FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/904-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

      Filesize

      4KB

      Download

    • memory/904-32-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

      Filesize

      4KB

      Download

    • memory/904-30-0x000000001B250000-0x000000001B2D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1540-36-0x00000000008E0000-0x000000000090E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2348-7-0x000000001B6B0000-0x000000001B992000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2348-8-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2348-6-0x00000000028B0000-0x0000000002930000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2376-40-0x0000000000020000-0x000000000004E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2756-15-0x00000000027E0000-0x00000000027E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2756-14-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

      Filesize

      2.9MB

      Download