Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    126s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/08/2024, 02:01

General

  • Target

    b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe

  • Size

    35.0MB

  • MD5

    71a8a8297116bb9e6a527c82db38ae0c

  • SHA1

    f42ad3f6636c5d987939033d9cb09b657fc2a76b

  • SHA256

    b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6

  • SHA512

    f84b9b160f6cbb5b1ad7947c0ebac7cc7b24d379b3136f7ffa6becfe3bfedcda2a7008779b25334b1572a9e6f6854ec727f57b493d913cbf59a33a90e4200db9

  • SSDEEP

    786432:vkudQtsmW+e5RU2j6+s7LWB75zuk2q9TqyMeLBSQryklN:vjdQt9W+eHU2qHWB75ikfNNBShWN

Malware Config

Extracted

Family

xworm

C2

heart-debian.gl.at.ply.gg:47573

Attributes
  • Install_directory

    %AppData%

  • install_file

    system32.exe

  • telegram

    https://api.telegram.org/bot7458595634:AAEEmxZd7rBIYX3YZTRCO1t9uU7_yLyhcaw/sendMessage?chat_id=1473354298

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe
    "C:\Users\Admin\AppData\Local\Temp\b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe
      "C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DXXPRIVATE.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1768
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system32" /tr "C:\Users\Admin\AppData\Roaming\system32.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1256
    • C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe
      "C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe
        "C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1904
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {4EBE3D75-3D36-4D53-A799-00AF27A40054} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Roaming\system32.exe
      C:\Users\Admin\AppData\Roaming\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Users\Admin\AppData\Roaming\system32.exe
      C:\Users\Admin\AppData\Roaming\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI27882\python311.dll

    Filesize

    5.5MB

    MD5

    65e381a0b1bc05f71c139b0c7a5b8eb2

    SHA1

    7c4a3adf21ebcee5405288fc81fc4be75019d472

    SHA256

    53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a

    SHA512

    4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WZJN0RJ7606YK5HPNR4Y.temp

    Filesize

    7KB

    MD5

    0e660ebe385cfad8c033c2e8a9d70e6a

    SHA1

    2a11275246e34ac45d803eaed30e3ab4ff1d8a7d

    SHA256

    c4611783945ba88c887e92a10caeceac56b1e21e9fea87d09f530dd5276c2b40

    SHA512

    20ce357f3963b41a12715f9e088ae43e1ff9d972ca502af5bc237d7fb67a3ca2ff7fde6259804341932a431f033fd2a2b65cd2d1f7eedb19c16006d550b22df0

  • \Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe

    Filesize

    34.9MB

    MD5

    75d32588eb6d63a219979c4d426f6b24

    SHA1

    7418f040c081e3a3fa941da7b2596c53eb14e13f

    SHA256

    25d1dad3e5662b215e5b05f51db5e24714fdd2b5db9c424d7e11677be0c32808

    SHA512

    c3d20730fa5e4e5558b535069ea45df0d30638e49a33dff83662efd895ea519836291581b85f4b21ce84d2aece344a462ecb03cfb497fab9912a83f4f82d43e9

  • \Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe

    Filesize

    77KB

    MD5

    0023d5028225136e000201652d675318

    SHA1

    2c0c6c975e263d88225916db67f4dff50c577380

    SHA256

    fc975db05fc20acc0c6bfefc517f9c54487857c0332877036408035a95677a68

    SHA512

    c842faccb9de56d38de1112799fb9bbead47fdbeaf70f1d0159dd0a6516b848040d33793163a1fbb6212fff8ad17925c67720c900c36b218cdd349a2dd08087f

  • memory/880-337-0x0000000000BE0000-0x0000000000BFA000-memory.dmp

    Filesize

    104KB

  • memory/1520-173-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

  • memory/1520-174-0x0000000001E10000-0x0000000001E18000-memory.dmp

    Filesize

    32KB

  • memory/2004-334-0x0000000000BA0000-0x0000000000BBA000-memory.dmp

    Filesize

    104KB

  • memory/2704-12-0x0000000000400000-0x0000000002700000-memory.dmp

    Filesize

    35.0MB

  • memory/2744-6-0x0000000001070000-0x000000000108A000-memory.dmp

    Filesize

    104KB

  • memory/3004-167-0x0000000002A70000-0x0000000002A78000-memory.dmp

    Filesize

    32KB

  • memory/3004-166-0x000000001B540000-0x000000001B822000-memory.dmp

    Filesize

    2.9MB