Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/08/2024, 02:01
Behavioral task
behavioral1
Sample
b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe
Resource
win10v2004-20240802-en
General
-
Target
b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe
-
Size
35.0MB
-
MD5
71a8a8297116bb9e6a527c82db38ae0c
-
SHA1
f42ad3f6636c5d987939033d9cb09b657fc2a76b
-
SHA256
b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6
-
SHA512
f84b9b160f6cbb5b1ad7947c0ebac7cc7b24d379b3136f7ffa6becfe3bfedcda2a7008779b25334b1572a9e6f6854ec727f57b493d913cbf59a33a90e4200db9
-
SSDEEP
786432:vkudQtsmW+e5RU2j6+s7LWB75zuk2q9TqyMeLBSQryklN:vjdQt9W+eHU2qHWB75ikfNNBShWN
Malware Config
Extracted
xworm
heart-debian.gl.at.ply.gg:47573
-
Install_directory
%AppData%
-
install_file
system32.exe
-
telegram
https://api.telegram.org/bot7458595634:AAEEmxZd7rBIYX3YZTRCO1t9uU7_yLyhcaw/sendMessage?chat_id=1473354298
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x000c00000001227f-2.dat family_xworm behavioral1/memory/2744-6-0x0000000001070000-0x000000000108A000-memory.dmp family_xworm behavioral1/memory/2004-334-0x0000000000BA0000-0x0000000000BBA000-memory.dmp family_xworm behavioral1/memory/880-337-0x0000000000BE0000-0x0000000000BFA000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1520 powershell.exe 956 powershell.exe 1768 powershell.exe 3004 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.lnk DXXPRIVATE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.lnk DXXPRIVATE.exe -
Executes dropped EXE 5 IoCs
pid Process 2744 DXXPRIVATE.exe 2788 DXX SOFTS PRIVATE.exe 1904 DXX SOFTS PRIVATE.exe 2004 system32.exe 880 system32.exe -
Loads dropped DLL 5 IoCs
pid Process 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 2728 Process not Found 2788 DXX SOFTS PRIVATE.exe 1904 DXX SOFTS PRIVATE.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Users\\Admin\\AppData\\Roaming\\system32.exe" DXXPRIVATE.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0008000000016d32-9.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1256 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3004 powershell.exe 1520 powershell.exe 956 powershell.exe 1768 powershell.exe 2744 DXXPRIVATE.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2744 DXXPRIVATE.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 956 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 2744 DXXPRIVATE.exe Token: SeDebugPrivilege 2004 system32.exe Token: SeDebugPrivilege 880 system32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2744 DXXPRIVATE.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2744 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 31 PID 2704 wrote to memory of 2744 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 31 PID 2704 wrote to memory of 2744 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 31 PID 2704 wrote to memory of 2744 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 31 PID 2704 wrote to memory of 2788 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 32 PID 2704 wrote to memory of 2788 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 32 PID 2704 wrote to memory of 2788 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 32 PID 2704 wrote to memory of 2788 2704 b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe 32 PID 2788 wrote to memory of 1904 2788 DXX SOFTS PRIVATE.exe 34 PID 2788 wrote to memory of 1904 2788 DXX SOFTS PRIVATE.exe 34 PID 2788 wrote to memory of 1904 2788 DXX SOFTS PRIVATE.exe 34 PID 2744 wrote to memory of 3004 2744 DXXPRIVATE.exe 36 PID 2744 wrote to memory of 3004 2744 DXXPRIVATE.exe 36 PID 2744 wrote to memory of 3004 2744 DXXPRIVATE.exe 36 PID 2744 wrote to memory of 1520 2744 DXXPRIVATE.exe 38 PID 2744 wrote to memory of 1520 2744 DXXPRIVATE.exe 38 PID 2744 wrote to memory of 1520 2744 DXXPRIVATE.exe 38 PID 2744 wrote to memory of 956 2744 DXXPRIVATE.exe 40 PID 2744 wrote to memory of 956 2744 DXXPRIVATE.exe 40 PID 2744 wrote to memory of 956 2744 DXXPRIVATE.exe 40 PID 2744 wrote to memory of 1768 2744 DXXPRIVATE.exe 42 PID 2744 wrote to memory of 1768 2744 DXXPRIVATE.exe 42 PID 2744 wrote to memory of 1768 2744 DXXPRIVATE.exe 42 PID 2744 wrote to memory of 1256 2744 DXXPRIVATE.exe 44 PID 2744 wrote to memory of 1256 2744 DXXPRIVATE.exe 44 PID 2744 wrote to memory of 1256 2744 DXXPRIVATE.exe 44 PID 2044 wrote to memory of 2004 2044 taskeng.exe 47 PID 2044 wrote to memory of 2004 2044 taskeng.exe 47 PID 2044 wrote to memory of 2004 2044 taskeng.exe 47 PID 2044 wrote to memory of 880 2044 taskeng.exe 48 PID 2044 wrote to memory of 880 2044 taskeng.exe 48 PID 2044 wrote to memory of 880 2044 taskeng.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe"C:\Users\Admin\AppData\Local\Temp\b6a02bede9af95adb28ce056584dfed53a2d70a8bd7b76c919392359139d39f6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe"C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DXXPRIVATE.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DXXPRIVATE.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system32.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system32" /tr "C:\Users\Admin\AppData\Roaming\system32.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1256
-
-
-
C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"C:\Users\Admin\AppData\Local\Temp\DXX SOFTS PRIVATE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4EBE3D75-3D36-4D53-A799-00AF27A40054} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Roaming\system32.exeC:\Users\Admin\AppData\Roaming\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Users\Admin\AppData\Roaming\system32.exeC:\Users\Admin\AppData\Roaming\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:880
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD565e381a0b1bc05f71c139b0c7a5b8eb2
SHA17c4a3adf21ebcee5405288fc81fc4be75019d472
SHA25653a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a
SHA5124db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WZJN0RJ7606YK5HPNR4Y.temp
Filesize7KB
MD50e660ebe385cfad8c033c2e8a9d70e6a
SHA12a11275246e34ac45d803eaed30e3ab4ff1d8a7d
SHA256c4611783945ba88c887e92a10caeceac56b1e21e9fea87d09f530dd5276c2b40
SHA51220ce357f3963b41a12715f9e088ae43e1ff9d972ca502af5bc237d7fb67a3ca2ff7fde6259804341932a431f033fd2a2b65cd2d1f7eedb19c16006d550b22df0
-
Filesize
34.9MB
MD575d32588eb6d63a219979c4d426f6b24
SHA17418f040c081e3a3fa941da7b2596c53eb14e13f
SHA25625d1dad3e5662b215e5b05f51db5e24714fdd2b5db9c424d7e11677be0c32808
SHA512c3d20730fa5e4e5558b535069ea45df0d30638e49a33dff83662efd895ea519836291581b85f4b21ce84d2aece344a462ecb03cfb497fab9912a83f4f82d43e9
-
Filesize
77KB
MD50023d5028225136e000201652d675318
SHA12c0c6c975e263d88225916db67f4dff50c577380
SHA256fc975db05fc20acc0c6bfefc517f9c54487857c0332877036408035a95677a68
SHA512c842faccb9de56d38de1112799fb9bbead47fdbeaf70f1d0159dd0a6516b848040d33793163a1fbb6212fff8ad17925c67720c900c36b218cdd349a2dd08087f