Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 21:05
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240704-en
General
-
Target
Setup.exe
-
Size
296KB
-
MD5
4fbc8b878d44721f4f838334ac218ca3
-
SHA1
ab1bbbc858c32c512f3670db42da607ff8f5d797
-
SHA256
9bed2d09b228519b7b0d423d96e05d45193b88f9669b3d7373ce92b8466ce072
-
SHA512
804ece432385d03e546d247afa9f60722458262461e669792f24bf23704779b241c2562792aeec0cf7d450d61a967515e712704f33ede2814004d97cc3adde89
-
SSDEEP
3072:B9UoZkSvCRLTcda4bl7gWz3vW/XhQMg2t6tqnJr:Be8kCCRLTcs4blxvWvhDGq
Malware Config
Extracted
xworm
Valdemar-62425.portmap.host:62425
-
Install_directory
%ProgramData%
-
install_file
WinSysUpdater32.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x000900000001678f-13.dat family_xworm behavioral1/memory/2748-15-0x0000000001200000-0x000000000121E000-memory.dmp family_xworm behavioral1/memory/888-67-0x0000000000C80000-0x0000000000C9E000-memory.dmp family_xworm behavioral1/memory/1768-70-0x0000000000E30000-0x0000000000E4E000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 320 powershell.exe 1896 powershell.exe 2984 powershell.exe 2392 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSysUpdater32.lnk InspectedSetup.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSysUpdater32.lnk InspectedSetup.exe -
Executes dropped EXE 4 IoCs
pid Process 1904 InspectedSetupV2.1.4.exe 2748 InspectedSetup.exe 888 WinSysUpdater32.exe 1768 WinSysUpdater32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinSysUpdater32 = "C:\\ProgramData\\WinSysUpdater32.exe" InspectedSetup.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\ rundll32.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1300 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2748 InspectedSetup.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 320 powershell.exe 1896 powershell.exe 2984 powershell.exe 2392 powershell.exe 2748 InspectedSetup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3004 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2748 InspectedSetup.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2748 InspectedSetup.exe Token: SeDebugPrivilege 888 WinSysUpdater32.exe Token: SeDebugPrivilege 1768 WinSysUpdater32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3004 AcroRd32.exe 3004 AcroRd32.exe 2748 InspectedSetup.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1904 2324 Setup.exe 31 PID 2324 wrote to memory of 1904 2324 Setup.exe 31 PID 2324 wrote to memory of 1904 2324 Setup.exe 31 PID 2324 wrote to memory of 2912 2324 Setup.exe 32 PID 2324 wrote to memory of 2912 2324 Setup.exe 32 PID 2324 wrote to memory of 2912 2324 Setup.exe 32 PID 1904 wrote to memory of 2748 1904 InspectedSetupV2.1.4.exe 33 PID 1904 wrote to memory of 2748 1904 InspectedSetupV2.1.4.exe 33 PID 1904 wrote to memory of 2748 1904 InspectedSetupV2.1.4.exe 33 PID 1904 wrote to memory of 2796 1904 InspectedSetupV2.1.4.exe 34 PID 1904 wrote to memory of 2796 1904 InspectedSetupV2.1.4.exe 34 PID 1904 wrote to memory of 2796 1904 InspectedSetupV2.1.4.exe 34 PID 2796 wrote to memory of 3004 2796 rundll32.exe 36 PID 2796 wrote to memory of 3004 2796 rundll32.exe 36 PID 2796 wrote to memory of 3004 2796 rundll32.exe 36 PID 2796 wrote to memory of 3004 2796 rundll32.exe 36 PID 2748 wrote to memory of 320 2748 InspectedSetup.exe 38 PID 2748 wrote to memory of 320 2748 InspectedSetup.exe 38 PID 2748 wrote to memory of 320 2748 InspectedSetup.exe 38 PID 2748 wrote to memory of 1896 2748 InspectedSetup.exe 40 PID 2748 wrote to memory of 1896 2748 InspectedSetup.exe 40 PID 2748 wrote to memory of 1896 2748 InspectedSetup.exe 40 PID 2748 wrote to memory of 2984 2748 InspectedSetup.exe 42 PID 2748 wrote to memory of 2984 2748 InspectedSetup.exe 42 PID 2748 wrote to memory of 2984 2748 InspectedSetup.exe 42 PID 2748 wrote to memory of 2392 2748 InspectedSetup.exe 44 PID 2748 wrote to memory of 2392 2748 InspectedSetup.exe 44 PID 2748 wrote to memory of 2392 2748 InspectedSetup.exe 44 PID 2748 wrote to memory of 1300 2748 InspectedSetup.exe 46 PID 2748 wrote to memory of 1300 2748 InspectedSetup.exe 46 PID 2748 wrote to memory of 1300 2748 InspectedSetup.exe 46 PID 2912 wrote to memory of 1728 2912 rundll32.exe 48 PID 2912 wrote to memory of 1728 2912 rundll32.exe 48 PID 2912 wrote to memory of 1728 2912 rundll32.exe 48 PID 2912 wrote to memory of 1728 2912 rundll32.exe 48 PID 112 wrote to memory of 888 112 taskeng.exe 50 PID 112 wrote to memory of 888 112 taskeng.exe 50 PID 112 wrote to memory of 888 112 taskeng.exe 50 PID 112 wrote to memory of 1768 112 taskeng.exe 51 PID 112 wrote to memory of 1768 112 taskeng.exe 51 PID 112 wrote to memory of 1768 112 taskeng.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\InspectedSetupV2.1.4.exe"C:\Users\Admin\AppData\Local\Temp\InspectedSetupV2.1.4.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Roaming\InspectedSetup.exe"C:\Users\Admin\AppData\Roaming\InspectedSetup.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\InspectedSetup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InspectedSetup.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinSysUpdater32.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinSysUpdater32.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinSysUpdater32" /tr "C:\ProgramData\WinSysUpdater32.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1300
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\INSPECTEDfreeV2.4.py3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\INSPECTEDfreeV2.4.py"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FreeINSPECTED.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FreeINSPECTED.py"3⤵
- System Location Discovery: System Language Discovery
PID:1728
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0457C575-FBFC-4F4D-AE8A-2582E7AE6C83} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\ProgramData\WinSysUpdater32.exeC:\ProgramData\WinSysUpdater32.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\ProgramData\WinSysUpdater32.exeC:\ProgramData\WinSysUpdater32.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD51548bd62ce778723ca94f6c6ac710540
SHA1bff334f3430794a78c5c6a64b2f3cc17592c96de
SHA256a43db9b3f7d546f83a74a0fe5c377abac4512dc10cf3117918a4ca4abe9e7c40
SHA5125f69e099ad09ca08165b60819a70366185e08361a597d4d96b9e60ad2d1d1a1e4f39dcdd152d15c276053079a06cc95226f1c8766d4e0d6407799ede9cd97885
-
Filesize
112KB
MD5b6e3ad794d2172d8e6c909b904bccccb
SHA16618a1276353c6c4e4c746a190ef31098d3c9f38
SHA256cf368edca395eeac03f42d5f902fcada7f4262802ff95631712347563d8bdb05
SHA512a50abeec4ab2f3cdc42ddb4a852aa7ee10376cd140b607f98be4b96995d2b0b4722e2d0286133d88ccd1f4ece2dec01f79d2b8e67f93cac1d040a72cde1dd605
-
Filesize
3KB
MD583433f6fde21e2b8f47760a4f07244e2
SHA1b9ffce59ec464808133fd58837e21a53220a5062
SHA2561112748d8df01ea8026b6f6ffa7e7f17782778fc2da1f1d6736b69e1295558ef
SHA51277743586b9e91f1b34376bf3ca23979b36c3302785095fd0fce6ec3368c46ff2ac7b4986e02bf580544f4a77a3fa53df8786a2ada0b66bffbb915c9caf068df0
-
Filesize
4KB
MD5c717302066b1825d61744234057afd46
SHA1a51f638e23311b7f35f2832e8739c3e4c5a83257
SHA256a178663e55f00f9a234851a278d91bd4c02796477b9cafefaa2cd36df7277d87
SHA5121e9c0315050ee435607cc90ac8e4180f0659f1469944af79cfb2a418efb714ebaa529f4a79698a6a78853c796b6af4c4d58de50379740f74c8c221850a3976a7
-
Filesize
97KB
MD52edb664bcabf152026fa329515a96821
SHA1230f2c370647ba1e41498aa2efa8cba6f512642f
SHA2566548408ffacead04d0e33df162a247f2f8542ea9c98b50698476b86380f3547b
SHA512a65b623fe37143e0eba265d3cd80a68ecc30e836be13fc113177e4e2e40ab508c9e3a1bd1952f45b8e01bccc7a43e96ef18f41d2ea5de1bd4ab7bc67c19fef70
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b498fc890256b2fc1a667706eb5fbee3
SHA10ea85040fbb944f672ff922638223a9905953690
SHA2560053e6da61d60aa887f8164f11d884f41891e06fbd098c793ee601d9fdf8e1dc
SHA5121ad023faa8ef879f5ca508db9ea12e01c4be763e6736d8107917c530642461db92ade71126859b38aa5911a8c53b49f9d1c57408771915126bdb007baedb393e