Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ратник.exe

windows7-x64

10

ратник.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ратник.exe

  • Size

    62KB

  • MD5

    f5d67f4988d18fb4b52e7de4ad75168d

  • SHA1

    b1f3b4d40d3a5e177ec04c478d6a02f85d57e35c

  • SHA256

    3c9f38093ef7ca9ff110fdb5cff7fcb4c8eec737536181561e75410a88a9d465

  • SHA512

    32223a0e6f50608d992556a4de81f72c3fd62646ea8e340729addfeca02b686dfa450f591c82c2e564d164b62e08a0aaf543dd9c0d3835194d69d279554e79f0

  • SSDEEP

    1536:DLxX5T7Oxst3AExTPCObC9+raFgC6lFKJOHhxL:DltcsmEwObCE7EJOHjL

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

stores-achieved.gl.at.ply.gg:64510

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ратник.exe
    "C:\Users\Admin\AppData\Local\Temp\ратник.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ратник.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ратник.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefa59758,0x7feefa59768,0x7feefa59778
      2⤵
        PID:1932
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1280,i,9416952186357752949,6137643962858121182,131072 /prefetch:2
        2⤵
          PID:2684
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1280,i,9416952186357752949,6137643962858121182,131072 /prefetch:8
          2⤵
            PID:464
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1456 --field-trial-handle=1280,i,9416952186357752949,6137643962858121182,131072 /prefetch:8
            2⤵
              PID:580
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1280,i,9416952186357752949,6137643962858121182,131072 /prefetch:1
              2⤵
                PID:2948
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1280,i,9416952186357752949,6137643962858121182,131072 /prefetch:1
                2⤵
                  PID:2880
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1856 --field-trial-handle=1280,i,9416952186357752949,6137643962858121182,131072 /prefetch:2
                  2⤵
                    PID:1716
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3160 --field-trial-handle=1280,i,9416952186357752949,6137643962858121182,131072 /prefetch:1
                    2⤵
                      PID:1588
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 --field-trial-handle=1280,i,9416952186357752949,6137643962858121182,131072 /prefetch:8
                      2⤵
                        PID:2832
                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                      1⤵
                        PID:2188

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
                        Filesize

                        16B

                        MD5

                        aefd77f47fb84fae5ea194496b44c67a

                        SHA1

                        dcfbb6a5b8d05662c4858664f81693bb7f803b82

                        SHA256

                        4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                        SHA512

                        b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                        Filesize

                        264KB

                        MD5

                        f50f89a0a91564d0b8a211f8921aa7de

                        SHA1

                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                        SHA256

                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                        SHA512

                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        5KB

                        MD5

                        1835d6f34b115216216432d8981f1075

                        SHA1

                        c1b0b19757270ba8f1aa820b5fad0535b0e6ffd0

                        SHA256

                        8533ead012859ed78384776759c80543fb8f3456ef9fc9dbf7347fbf4f4eb520

                        SHA512

                        702aa6160d99d1d99a6c1324a1e9b1a8eb039117989bbae37d6e4a8c21bbf1dcc3fa2b9918d725af63a0cb862702fbf66bf66ee577a2b3ce6d418aba782e1083

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
                        Filesize

                        16B

                        MD5

                        18e723571b00fb1694a3bad6c78e4054

                        SHA1

                        afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                        SHA256

                        8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                        SHA512

                        43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                        Filesize

                        308KB

                        MD5

                        72716d45e4b788ef4fb32b65d9272a78

                        SHA1

                        5dfb0c97c056753777a3a84760355ba4f1a8cf7c

                        SHA256

                        63a34996730ced7c3110cf667a732cf3ab1a0ef9d2a66adb5113da48ecc623cd

                        SHA512

                        3f8f86ab486280f79f49a47fba4a735052b915d95ead11a7479722ccda48e50a9287a4c415f2c5824d2a6ace768e78692dc9f52801dcd7887a13b1f32c82cf5e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ac954a78-ffef-4b89-80f5-78ce4c9aee15.tmp
                        Filesize

                        308KB

                        MD5

                        350cd67be0398e0a3ceae164e1a4f555

                        SHA1

                        5916a6383a3cfbd49b187a301b7b32ac5780a6c9

                        SHA256

                        90bf3b558d6d449e4d6eeff9cad373ef58d4de6887d4bc65b15c24e8d39da49e

                        SHA512

                        7209320f6e9adb4789f51a50659cc9c79af9b6c3a767e2052db4063628ef7581ae5ac00a09d90f5046d11d68e129a1171d56c60a38081f1393b0b44783369a88

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                        Filesize

                        7KB

                        MD5

                        d740a927c7816668fa41e96e505620ad

                        SHA1

                        0501caf23c93ff9d4ab4e23982689062e6c6dffe

                        SHA256

                        3ba5cecd3cb619ad52357949574d86780869258038333b682cb488f4c0223700

                        SHA512

                        8589be7f8b7b315ce9ffd86878acefdeefd6e5ade0ab08c6d050069a65aee7ea5e6359fef6eecd50ebc8844d91a865d0a6b959dce9481c7465edd84a81ebc53a

                        Download Submit

                      • memory/2532-2-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2532-0-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2532-32-0x000007FEF5413000-0x000007FEF5414000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2532-35-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/2532-1-0x0000000000A30000-0x0000000000A46000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/2600-16-0x0000000002340000-0x0000000002348000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2600-15-0x000000001B550000-0x000000001B832000-memory.dmp

                        Filesize

                        2.9MB

                        Download

                      • memory/2704-9-0x00000000023C0000-0x00000000023C8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2704-8-0x000000001B510000-0x000000001B7F2000-memory.dmp

                        Filesize

                        2.9MB

                        Download

                      • memory/2704-7-0x0000000002C00000-0x0000000002C80000-memory.dmp

                        Filesize

                        512KB

                        Download