Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/08/2024, 21:41
Behavioral task
behavioral1
Sample
Cleaner.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Cleaner.exe
Resource
win10v2004-20240802-en
General
-
Target
Cleaner.exe
-
Size
172KB
-
MD5
9229077d00bad648e91aaf30bd096567
-
SHA1
83eba361175f6c5dd71f740d527ab853a504d15b
-
SHA256
1eca23db92c0319d414040c2ff9a240d57f806290e1f0238d696fea761c5d948
-
SHA512
a8d6ac08eb8a2d74791238bfd73cda0062ac4a706bba6a61472efd4a062e2e611661a931d0d14a7edd52a833be830c254dbc14b184ae30a013687d547bc105a7
-
SSDEEP
3072:IuAN13vRxKBL+b0kb1zehFjO/G16Bz65/M6If+3Js+3JFkKeTnZ:KRYib0y1ihf16xBt25
Malware Config
Extracted
xworm
127.0.0.1:1990
-
Install_directory
%AppData%
-
install_file
cleaner.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/1804-0-0x0000000000240000-0x0000000000272000-memory.dmp family_xworm behavioral2/files/0x000900000002347c-7.dat family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Cleaner.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cleaner.lnk Cleaner.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cleaner.lnk Cleaner.exe -
Executes dropped EXE 3 IoCs
pid Process 3416 cleaner.exe 3284 cleaner.exe 4052 cleaner.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cleaner = "C:\\Users\\Admin\\AppData\\Roaming\\cleaner.exe" Cleaner.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1544 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2388 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe 1804 Cleaner.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 896 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1804 Cleaner.exe Token: SeDebugPrivilege 1804 Cleaner.exe Token: SeDebugPrivilege 3416 cleaner.exe Token: SeDebugPrivilege 3284 cleaner.exe Token: SeDebugPrivilege 4052 cleaner.exe Token: 33 1632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1632 AUDIODG.EXE Token: SeDebugPrivilege 4600 Cleaner.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1804 Cleaner.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 896 OpenWith.exe 4596 OpenWith.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2388 1804 Cleaner.exe 86 PID 1804 wrote to memory of 2388 1804 Cleaner.exe 86 PID 896 wrote to memory of 1544 896 OpenWith.exe 97 PID 896 wrote to memory of 1544 896 OpenWith.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cleaner" /tr "C:\Users\Admin\AppData\Roaming\cleaner.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2388
-
-
C:\Users\Admin\AppData\Roaming\cleaner.exeC:\Users\Admin\AppData\Roaming\cleaner.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
C:\Users\Admin\AppData\Roaming\cleaner.exeC:\Users\Admin\AppData\Roaming\cleaner.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1100
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Log.tmp2⤵
- Opens file in notepad (likely ransom note)
PID:1544
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4596
-
C:\Users\Admin\AppData\Roaming\cleaner.exeC:\Users\Admin\AppData\Roaming\cleaner.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x150 0x4081⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"C:\Users\Admin\AppData\Local\Temp\Cleaner.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
114B
MD5c650f5290469e006b0e370d814b10054
SHA16d1a8a52fb733384fbdb9ba1baf81d12f75d1b64
SHA256e871981d0c2cb48911717aa9b5bb7476ba171f7c3b1b11428a5924b3543db58f
SHA512d9b7b8d70ef804b9a0a78cde9d1b97702558aa7d62c7df583306e632427fa74bbb44ff9b1bce692b85661ae46b7c526a7cf0d686db0bb3cb3d40e0064a399bb1
-
Filesize
172KB
MD59229077d00bad648e91aaf30bd096567
SHA183eba361175f6c5dd71f740d527ab853a504d15b
SHA2561eca23db92c0319d414040c2ff9a240d57f806290e1f0238d696fea761c5d948
SHA512a8d6ac08eb8a2d74791238bfd73cda0062ac4a706bba6a61472efd4a062e2e611661a931d0d14a7edd52a833be830c254dbc14b184ae30a013687d547bc105a7