Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 21:05

General

  • Target

    Setup.exe

  • Size

    296KB

  • MD5

    4fbc8b878d44721f4f838334ac218ca3

  • SHA1

    ab1bbbc858c32c512f3670db42da607ff8f5d797

  • SHA256

    9bed2d09b228519b7b0d423d96e05d45193b88f9669b3d7373ce92b8466ce072

  • SHA512

    804ece432385d03e546d247afa9f60722458262461e669792f24bf23704779b241c2562792aeec0cf7d450d61a967515e712704f33ede2814004d97cc3adde89

  • SSDEEP

    3072:B9UoZkSvCRLTcda4bl7gWz3vW/XhQMg2t6tqnJr:Be8kCCRLTcs4blxvWvhDGq

Malware Config

Extracted

Family

xworm

C2

Valdemar-62425.portmap.host:62425

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WinSysUpdater32.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Local\Temp\InspectedSetupV2.1.4.exe
      "C:\Users\Admin\AppData\Local\Temp\InspectedSetupV2.1.4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Users\Admin\AppData\Roaming\InspectedSetup.exe
        "C:\Users\Admin\AppData\Roaming\InspectedSetup.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\InspectedSetup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:320
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InspectedSetup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1896
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinSysUpdater32.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinSysUpdater32.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2392
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinSysUpdater32" /tr "C:\ProgramData\WinSysUpdater32.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1300
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\INSPECTEDfreeV2.4.py
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\INSPECTEDfreeV2.4.py"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:3004
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\FreeINSPECTED.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\FreeINSPECTED.py"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1728
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0457C575-FBFC-4F4D-AE8A-2582E7AE6C83} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\ProgramData\WinSysUpdater32.exe
      C:\ProgramData\WinSysUpdater32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:888
    • C:\ProgramData\WinSysUpdater32.exe
      C:\ProgramData\WinSysUpdater32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FreeINSPECTED.py

    Filesize

    6KB

    MD5

    1548bd62ce778723ca94f6c6ac710540

    SHA1

    bff334f3430794a78c5c6a64b2f3cc17592c96de

    SHA256

    a43db9b3f7d546f83a74a0fe5c377abac4512dc10cf3117918a4ca4abe9e7c40

    SHA512

    5f69e099ad09ca08165b60819a70366185e08361a597d4d96b9e60ad2d1d1a1e4f39dcdd152d15c276053079a06cc95226f1c8766d4e0d6407799ede9cd97885

  • C:\Users\Admin\AppData\Local\Temp\InspectedSetupV2.1.4.exe

    Filesize

    112KB

    MD5

    b6e3ad794d2172d8e6c909b904bccccb

    SHA1

    6618a1276353c6c4e4c746a190ef31098d3c9f38

    SHA256

    cf368edca395eeac03f42d5f902fcada7f4262802ff95631712347563d8bdb05

    SHA512

    a50abeec4ab2f3cdc42ddb4a852aa7ee10376cd140b607f98be4b96995d2b0b4722e2d0286133d88ccd1f4ece2dec01f79d2b8e67f93cac1d040a72cde1dd605

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    83433f6fde21e2b8f47760a4f07244e2

    SHA1

    b9ffce59ec464808133fd58837e21a53220a5062

    SHA256

    1112748d8df01ea8026b6f6ffa7e7f17782778fc2da1f1d6736b69e1295558ef

    SHA512

    77743586b9e91f1b34376bf3ca23979b36c3302785095fd0fce6ec3368c46ff2ac7b4986e02bf580544f4a77a3fa53df8786a2ada0b66bffbb915c9caf068df0

  • C:\Users\Admin\AppData\Roaming\INSPECTEDfreeV2.4.py

    Filesize

    4KB

    MD5

    c717302066b1825d61744234057afd46

    SHA1

    a51f638e23311b7f35f2832e8739c3e4c5a83257

    SHA256

    a178663e55f00f9a234851a278d91bd4c02796477b9cafefaa2cd36df7277d87

    SHA512

    1e9c0315050ee435607cc90ac8e4180f0659f1469944af79cfb2a418efb714ebaa529f4a79698a6a78853c796b6af4c4d58de50379740f74c8c221850a3976a7

  • C:\Users\Admin\AppData\Roaming\InspectedSetup.exe

    Filesize

    97KB

    MD5

    2edb664bcabf152026fa329515a96821

    SHA1

    230f2c370647ba1e41498aa2efa8cba6f512642f

    SHA256

    6548408ffacead04d0e33df162a247f2f8542ea9c98b50698476b86380f3547b

    SHA512

    a65b623fe37143e0eba265d3cd80a68ecc30e836be13fc113177e4e2e40ab508c9e3a1bd1952f45b8e01bccc7a43e96ef18f41d2ea5de1bd4ab7bc67c19fef70

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    b498fc890256b2fc1a667706eb5fbee3

    SHA1

    0ea85040fbb944f672ff922638223a9905953690

    SHA256

    0053e6da61d60aa887f8164f11d884f41891e06fbd098c793ee601d9fdf8e1dc

    SHA512

    1ad023faa8ef879f5ca508db9ea12e01c4be763e6736d8107917c530642461db92ade71126859b38aa5911a8c53b49f9d1c57408771915126bdb007baedb393e

  • memory/320-22-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

    Filesize

    2.9MB

  • memory/320-23-0x0000000002890000-0x0000000002898000-memory.dmp

    Filesize

    32KB

  • memory/888-67-0x0000000000C80000-0x0000000000C9E000-memory.dmp

    Filesize

    120KB

  • memory/1768-70-0x0000000000E30000-0x0000000000E4E000-memory.dmp

    Filesize

    120KB

  • memory/1896-29-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

  • memory/1896-30-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

  • memory/1904-16-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

    Filesize

    9.9MB

  • memory/1904-8-0x00000000002D0000-0x00000000002F2000-memory.dmp

    Filesize

    136KB

  • memory/2324-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

    Filesize

    4KB

  • memory/2324-1-0x00000000008E0000-0x0000000000930000-memory.dmp

    Filesize

    320KB

  • memory/2748-15-0x0000000001200000-0x000000000121E000-memory.dmp

    Filesize

    120KB