Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

письк...т.exe

windows7-x64

письк...т.exe

windows10-2004-x64

Resubmissions

02/02/2025, 22:41

250202-2mj4sssqfj 10

14/08/2024, 11:34

240814-npp6yavbpl 10

24/07/2024, 18:34

240724-w7q5ys1cmr 10

24/07/2024, 18:33

240724-w7ag7stere 10

24/07/2024, 18:31

240724-w6jdqa1bqp 10

24/07/2024, 18:30

240724-w5zdjs1bnm 10

24/07/2024, 18:30

240724-w5j9matejg 10

24/07/2024, 18:29

240724-w44lwatdqd 10

24/07/2024, 18:28

240724-w4nknatdpa 10

24/07/2024, 18:27

240724-w38t7s1apm 10

Analysis

  • max time kernel
    25s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 19:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    писька чит.exe

  • Size

    71KB

  • MD5

    ed3794861ddc34b4748ff8081e80cb2b

  • SHA1

    e63cf084552f0c2803de0109e3d2fcd3102c4738

  • SHA256

    6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

  • SHA512

    df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03

  • SSDEEP

    1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

main-although.gl.at.ply.gg:30970

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\писька чит.exe
    "C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\system32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:772
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2248

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        7710ade7f9cac4ea1a1876d2a6907899

        SHA1

        0174703ddc0d646753da8d32c5abf01d21b8e07b

        SHA256

        931024ff05fe252b3ee116c1554c559271a2edcf937751533a6462ec497628a9

        SHA512

        753885361dc3ee286b7db7cf60c2e19c2bfe51683f807a4209f17c4d88a92b7e4da7d72f993848597970a579956c6b390544b63473008a2ebf2663be92c5b21a

        Download Submit

      • memory/588-0-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

        Filesize

        4KB

        Download

      • memory/588-1-0x0000000001180000-0x0000000001198000-memory.dmp

        Filesize

        96KB

        Download

      • memory/588-2-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/588-32-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

        Filesize

        4KB

        Download

      • memory/588-33-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2744-7-0x0000000002D80000-0x0000000002E00000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2744-8-0x000000001B730000-0x000000001BA12000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2744-9-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2748-15-0x000000001B7A0000-0x000000001BA82000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2748-16-0x00000000027E0000-0x00000000027E8000-memory.dmp

        Filesize

        32KB

        Download