Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

dwdadwawa.exe

windows7-x64

10

dwdadwawa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 06:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dwdadwawa.exe

  • Size

    63KB

  • MD5

    7bb9d6edfd29f0b72b7c628b9fab2a3e

  • SHA1

    f603ce6c91c1314c4af009792cfa725ce953e906

  • SHA256

    d35f477971442252b444638b427427ad2bca84f4991b1e1f6285cc00152b7701

  • SHA512

    38403a5e83716f3a98ff48653535a3599faa221c9dbfe9cf858b776975d4a8e73632e212e128fb6c6f73eb99f31a1f4e83696705df2fac72e2bbb179f701725d

  • SSDEEP

    1536:ZYWnc4BSrIN5GMAFg6iu80+wcGr6bg9+UEPPArfh96GBo4AOnr5z:Z4aZAFg6FC5E6bg9+ZI/oOnr5z

Score
10/10
xwormevasionexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

main-although.gl.at.ply.gg:30970

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\dwdadwawa.exe
    "C:\Users\Admin\AppData\Local\Temp\dwdadwawa.exe"
    1⤵
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dwdadwawa.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwdadwawa.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    07a24b327cd00b2d78ed548ac8270f5a

    SHA1

    8861e9026a9cdcdfe86f674deaf83c8591c2990f

    SHA256

    eb5bf969bbcf07afa0125145a13e53610b94a7ce1bf69548cc0a2a2f820589b1

    SHA512

    845904e779b0b592942ec3fa4dfd5a1bbbe19f0150032cb7e2f3f5e22ed61a3fb4d7a6967041eb18fa9e6a9ef7db501a7924f1ccd59e22152cf65dcedd71d500

    Download Submit

  • memory/2520-14-0x000000001B7A0000-0x000000001BA82000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2520-15-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2708-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-1-0x0000000001260000-0x0000000001276000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2708-2-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2708-30-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2708-31-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2708-32-0x000000001A7C0000-0x000000001A7CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2712-7-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2712-8-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

    Filesize

    32KB

    Download