Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Everything.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Everything.exe

  • Size

    1.1MB

  • MD5

    574e3b1c4f468cf59768cf5ef84aeedc

  • SHA1

    ee826303db0bd1c8cdf79095b9297608df2f8891

  • SHA256

    f2b7f2e4d4b1e2552c5739f1d790b39a99b0487f2fb0696fb683d4dfc29a913b

  • SHA512

    312f4873cd47457e5c422f1a86343d7d91d935074fe8145c8da03a6244e4c36da1e532e38086ecf86f739f4cddeee978825a39af79da1b40c344cda71a64f8be

  • SSDEEP

    24576:YP3HZagB7Jn6C5cZiLQ7ZCyEib1GZexgvOxxH8Z3:Yf5aUsZ9sHibODvOx6Z3

Score
10/10
xwormdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

rights-refers.gl.at.ply.gg:8848

localhost:8848

127.0.0.1:8848
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Everything.exe
    "C:\Users\Admin\AppData\Local\Temp\Everything.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1184-0-0x0000000000430000-0x000000000087C000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1184-1-0x00000000745CE000-0x00000000745CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1184-2-0x0000000000430000-0x000000000087C000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1184-3-0x0000000006680000-0x000000000671C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1184-5-0x0000000006720000-0x0000000006786000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1184-6-0x00000000745C0000-0x0000000074D70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1184-11-0x0000000007DB0000-0x0000000008354000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1184-12-0x0000000007C80000-0x0000000007D12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1184-13-0x0000000007C20000-0x0000000007C2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1184-15-0x0000000000430000-0x000000000087C000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1184-17-0x00000000745CE000-0x00000000745CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1184-18-0x00000000745C0000-0x0000000074D70000-memory.dmp

    Filesize

    7.7MB

    Download