Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

test32_protected.exe

windows7-x64

10

test32_protected.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/08/2024, 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test32_protected.exe

  • Size

    700KB

  • MD5

    93be0670eb47b2f8e43b624a7549a036

  • SHA1

    7d15bf25454920d5fa7b13351a4f931fb41be19b

  • SHA256

    40f4d637bcf94657f7161730970e3f56d96791bbec175b39b9447f3d129e9d2d

  • SHA512

    0524848af6b4e7490a9fa87329d2c0b3a2bcbaa7c11831e0fb608737bf90debf6d9b274fde541a2f216cc7c00fcd62f27979ed7f8eb80e02b2c43ed571786ea5

  • SSDEEP

    12288:Hgeoo7YNQT1F85ZwKd89BcF6uVd10Lqvhl/ag7Zb4UPnIpVFBpLz:VpwQJyEvO6egTg7ZbehH

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/FdSMTxzR

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\test32_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\test32_protected.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 672
      2⤵
      • Program crash
      PID:2572
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1760
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1760.0.19953474\928252095" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {343f59bd-dcfb-4421-9820-dcac547a77f8} 1760 "\\.\pipe\gecko-crash-server-pipe.1760" 1300 110d9158 gpu
        3⤵
          PID:2964
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1760.1.2119939343\260924705" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {206e6deb-e0cf-4127-b8d7-4a85ce241928} 1760 "\\.\pipe\gecko-crash-server-pipe.1760" 1492 e72b58 socket
          3⤵
            PID:2132
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1760.2.1290877049\626884479" -childID 1 -isForBrowser -prefsHandle 2004 -prefMapHandle 2076 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d5ff859-e718-43b4-b68e-bf314394fe26} 1760 "\\.\pipe\gecko-crash-server-pipe.1760" 2052 11061d58 tab
            3⤵
              PID:2448
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1760.3.657145971\2037346622" -childID 2 -isForBrowser -prefsHandle 636 -prefMapHandle 1680 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2c52eff-1a77-4db3-8ca4-b445d2d9c7fd} 1760 "\\.\pipe\gecko-crash-server-pipe.1760" 2116 e70d58 tab
              3⤵
                PID:2192
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1760.4.1990411123\1430944607" -childID 3 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3867e7d-321b-44b2-b5b2-0f66430c0bad} 1760 "\\.\pipe\gecko-crash-server-pipe.1760" 2788 e62558 tab
                3⤵
                  PID:1580
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1760.5.64323416\943317346" -childID 4 -isForBrowser -prefsHandle 3812 -prefMapHandle 3808 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9675fbd2-4c46-433c-97e1-6b6244341704} 1760 "\\.\pipe\gecko-crash-server-pipe.1760" 3824 1e5b3758 tab
                  3⤵
                    PID:876
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1760.6.583534071\56274398" -childID 5 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cc9aafa-0e15-458d-a548-1c9f88f81776} 1760 "\\.\pipe\gecko-crash-server-pipe.1760" 3928 1e5b2e58 tab
                    3⤵
                      PID:2424
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1760.7.86500727\1693900650" -childID 6 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7396517e-d011-4f4b-a549-a0738feaa75d} 1760 "\\.\pipe\gecko-crash-server-pipe.1760" 4104 1e5b4958 tab
                      3⤵
                        PID:1104

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    25KB

                    MD5

                    835ae7f8eea4f02a9ebe6137df2dc679

                    SHA1

                    539c095285324df11341273e131db893eb4ac018

                    SHA256

                    6c14598d801dfc7d46e9909e44eb341c9c11f17ff5d7897bbcf48386a8e145cf

                    SHA512

                    e6fb7092063e575b7cbba714143353311732db761883821e544ed1d61c291fed4d086ebdbf833a23673b8c49c9636af59ebb58f0883a4cc1f6ab56c668d44242

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    9KB

                    MD5

                    837c70341ac4b4e6812f6e1c9f7fcce9

                    SHA1

                    566b2e061243d070d476ec4f5fd9200b7ade0e47

                    SHA256

                    b250d032488e41324b6fbad6e74c8dfc59748894534f74c95a1c3a76db28867c

                    SHA512

                    f123b79634d22e3ec7c25b935eac1e84708f5bd1d5bf9cb2012bc2f2900cbec661fb43a77fbe5b2ba491b9c6044a0406e133ba81f6234eacf57bdf755433f859

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    9KB

                    MD5

                    96f38411f5ff063606bb2b06c1534db9

                    SHA1

                    e2a4cc429918b5eddd0b19691e816e361052eecc

                    SHA256

                    4b117deaa40e6a72ae8535ea4bf43d56f997ebb3241799152afb9106151dac26

                    SHA512

                    7822ff09e78e139d70cdd841a6a15535ca04c2d5a9dab548901ddc9d76c81b666d4e9f54408b7be485398a120db430756fe4696d839436d36dc021760e937e66

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\90ddfe7f-7990-4b7d-bbe6-a5ce04ac7cdb
                    Filesize

                    733B

                    MD5

                    ddf6557d9ad5ca33ad530239478034f6

                    SHA1

                    8772fb3a2684dd37671cd4ad4f9f33da0940c49a

                    SHA256

                    3d0d92f88ddd57955a26debd78b58e855c9c60a82d1aead36e26fc710a15f3e8

                    SHA512

                    31a71d60ea9df7529423755cbe21ac96a10d1208f5b1d60860593ac6f7abfc8fed68ce232f4f0fb5c1da68d811caca78d6b652dc7183f7c9d251fe8e917b102b

                    Download Submit

                  • memory/2092-0-0x0000000001370000-0x000000000172C000-memory.dmp

                    Filesize

                    3.7MB

                    Download

                  • memory/2092-2-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2092-3-0x0000000001370000-0x000000000172C000-memory.dmp

                    Filesize

                    3.7MB

                    Download

                  • memory/2092-4-0x0000000001370000-0x000000000172C000-memory.dmp

                    Filesize

                    3.7MB

                    Download

                  • memory/2092-5-0x0000000000360000-0x0000000000380000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/2092-8-0x0000000001370000-0x000000000172C000-memory.dmp

                    Filesize

                    3.7MB

                    Download

                  • memory/2092-9-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2092-21-0x0000000001370000-0x000000000172C000-memory.dmp

                    Filesize

                    3.7MB

                    Download