Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/08/2024, 21:46 UTC

240807-1m3qgayapb 10

07/08/2024, 21:41 UTC

240807-1jzveavbnj 10

Analysis

  • max time kernel
    145s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 21:41 UTC

General

  • Target

    Cleaner.exe

  • Size

    172KB

  • MD5

    9229077d00bad648e91aaf30bd096567

  • SHA1

    83eba361175f6c5dd71f740d527ab853a504d15b

  • SHA256

    1eca23db92c0319d414040c2ff9a240d57f806290e1f0238d696fea761c5d948

  • SHA512

    a8d6ac08eb8a2d74791238bfd73cda0062ac4a706bba6a61472efd4a062e2e611661a931d0d14a7edd52a833be830c254dbc14b184ae30a013687d547bc105a7

  • SSDEEP

    3072:IuAN13vRxKBL+b0kb1zehFjO/G16Bz65/M6If+3Js+3JFkKeTnZ:KRYib0y1ihf16xBt25

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1990

Attributes
  • Install_directory

    %AppData%

  • install_file

    cleaner.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cleaner" /tr "C:\Users\Admin\AppData\Roaming\cleaner.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2388
  • C:\Users\Admin\AppData\Roaming\cleaner.exe
    C:\Users\Admin\AppData\Roaming\cleaner.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3416
  • C:\Users\Admin\AppData\Roaming\cleaner.exe
    C:\Users\Admin\AppData\Roaming\cleaner.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3284
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1100
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Log.tmp
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1544
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4596
    • C:\Users\Admin\AppData\Roaming\cleaner.exe
      C:\Users\Admin\AppData\Roaming\cleaner.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4052
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x150 0x408
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
    • C:\Users\Admin\AppData\Local\Temp\Cleaner.exe
      "C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4600

    Network

    • flag-us
      DNS
      69.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      69.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      55.36.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      55.36.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      73.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.190.18.2.in-addr.arpa
      IN PTR
      Response
      73.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      40.58.20.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      40.58.20.217.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 127.0.0.1:1990
      Cleaner.exe
    • 8.8.8.8:53
      69.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      69.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      148 B
      128 B
      2
      1

      DNS Request

      172.210.232.199.in-addr.arpa

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      55.36.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      55.36.223.20.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      73.190.18.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      73.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      40.58.20.217.in-addr.arpa
      dns
      71 B
      131 B
      1
      1

      DNS Request

      40.58.20.217.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cleaner.exe.log

      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    • C:\Users\Admin\AppData\Local\Temp\Log.tmp

      Filesize

      114B

      MD5

      c650f5290469e006b0e370d814b10054

      SHA1

      6d1a8a52fb733384fbdb9ba1baf81d12f75d1b64

      SHA256

      e871981d0c2cb48911717aa9b5bb7476ba171f7c3b1b11428a5924b3543db58f

      SHA512

      d9b7b8d70ef804b9a0a78cde9d1b97702558aa7d62c7df583306e632427fa74bbb44ff9b1bce692b85661ae46b7c526a7cf0d686db0bb3cb3d40e0064a399bb1

    • C:\Users\Admin\AppData\Roaming\cleaner.exe

      Filesize

      172KB

      MD5

      9229077d00bad648e91aaf30bd096567

      SHA1

      83eba361175f6c5dd71f740d527ab853a504d15b

      SHA256

      1eca23db92c0319d414040c2ff9a240d57f806290e1f0238d696fea761c5d948

      SHA512

      a8d6ac08eb8a2d74791238bfd73cda0062ac4a706bba6a61472efd4a062e2e611661a931d0d14a7edd52a833be830c254dbc14b184ae30a013687d547bc105a7

    • memory/1804-1-0x00007FFF9EEC3000-0x00007FFF9EEC5000-memory.dmp

      Filesize

      8KB

    • memory/1804-0-0x0000000000240000-0x0000000000272000-memory.dmp

      Filesize

      200KB

    • memory/1804-6-0x00007FFF9EEC0000-0x00007FFF9F981000-memory.dmp

      Filesize

      10.8MB

    • memory/1804-12-0x00007FFF9EEC3000-0x00007FFF9EEC5000-memory.dmp

      Filesize

      8KB

    • memory/1804-13-0x00007FFF9EEC0000-0x00007FFF9F981000-memory.dmp

      Filesize

      10.8MB

    • memory/3416-9-0x00007FFF9EEC0000-0x00007FFF9F981000-memory.dmp

      Filesize

      10.8MB

    • memory/3416-11-0x00007FFF9EEC0000-0x00007FFF9F981000-memory.dmp

      Filesize

      10.8MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.