Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 18:34
Behavioral task
behavioral1
Sample
erteterteret.exe
Resource
win7-20240708-en
Errors
General
-
Target
erteterteret.exe
-
Size
177KB
-
MD5
858162036ca676172602e7f20396294d
-
SHA1
98a1816c6f93aad44e89bbd40ffc5be75528fff6
-
SHA256
3706d906a279ab466f5c526dea3e804ce378ac164fcdc49a1184190669f8f934
-
SHA512
9206535c14c4a2c61d06f5e52ffc513663c73c00d4ac2dae7f9f0f038a503e091e8a003d794674df2b23f8d23f3e7ecba956c3d24a77babc73cd83cda2b114c4
-
SSDEEP
3072:W9vmZA2wRabTfnm/KOYqPtBz65/M6If+3Js+3JFkKeTn6:W9gdw0bzmMExBt25
Malware Config
Extracted
xworm
email-champions.gl.at.ply.gg:33429
took-chance.gl.at.ply.gg:33429
-
Install_directory
%AppData%
-
install_file
MsBusDriver.exe
-
telegram
https://api.telegram.org/bot6814850214:AAGtrnkhUh3vMq-wH7W5cvNuSWLdcy7mtis/sendMessage?chat_id=7094837950
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/2420-1-0x00000000010E0000-0x0000000001112000-memory.dmp family_xworm behavioral1/files/0x000b000000017093-33.dat family_xworm behavioral1/memory/2064-35-0x0000000001380000-0x00000000013B2000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2724 powershell.exe 2656 powershell.exe 2660 powershell.exe 2832 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 MicrosoftEdgeUpdate937498302 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2832 powershell.exe 2724 powershell.exe 2656 powershell.exe 2660 powershell.exe 2420 erteterteret.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2420 erteterteret.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 2420 erteterteret.exe Token: SeDebugPrivilege 2064 MicrosoftEdgeUpdate937498302 Token: SeShutdownPrivilege 264 shutdown.exe Token: SeRemoteShutdownPrivilege 264 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2420 erteterteret.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2832 2420 erteterteret.exe 32 PID 2420 wrote to memory of 2832 2420 erteterteret.exe 32 PID 2420 wrote to memory of 2832 2420 erteterteret.exe 32 PID 2420 wrote to memory of 2724 2420 erteterteret.exe 34 PID 2420 wrote to memory of 2724 2420 erteterteret.exe 34 PID 2420 wrote to memory of 2724 2420 erteterteret.exe 34 PID 2420 wrote to memory of 2656 2420 erteterteret.exe 36 PID 2420 wrote to memory of 2656 2420 erteterteret.exe 36 PID 2420 wrote to memory of 2656 2420 erteterteret.exe 36 PID 2420 wrote to memory of 2660 2420 erteterteret.exe 38 PID 2420 wrote to memory of 2660 2420 erteterteret.exe 38 PID 2420 wrote to memory of 2660 2420 erteterteret.exe 38 PID 2420 wrote to memory of 2696 2420 erteterteret.exe 40 PID 2420 wrote to memory of 2696 2420 erteterteret.exe 40 PID 2420 wrote to memory of 2696 2420 erteterteret.exe 40 PID 2940 wrote to memory of 2064 2940 taskeng.exe 43 PID 2940 wrote to memory of 2064 2940 taskeng.exe 43 PID 2940 wrote to memory of 2064 2940 taskeng.exe 43 PID 2420 wrote to memory of 264 2420 erteterteret.exe 44 PID 2420 wrote to memory of 264 2420 erteterteret.exe 44 PID 2420 wrote to memory of 264 2420 erteterteret.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\erteterteret.exe"C:\Users\Admin\AppData\Local\Temp\erteterteret.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\erteterteret.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'erteterteret.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeUpdate937498302'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdate937498302" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2696
-
-
C:\Windows\system32\shutdown.exeshutdown.exe /f /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:264
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1B70FE36-EB6A-409D-8DF9-061169FD39F2} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate937498302C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate9374983022⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:404
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177KB
MD5858162036ca676172602e7f20396294d
SHA198a1816c6f93aad44e89bbd40ffc5be75528fff6
SHA2563706d906a279ab466f5c526dea3e804ce378ac164fcdc49a1184190669f8f934
SHA5129206535c14c4a2c61d06f5e52ffc513663c73c00d4ac2dae7f9f0f038a503e091e8a003d794674df2b23f8d23f3e7ecba956c3d24a77babc73cd83cda2b114c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7NQDGD5UKEMQDY30VH8B.temp
Filesize7KB
MD57dea417b199161c5e642b23534b9a7a3
SHA159e1cddb00f5d409f24fac8f1eb9ece5afedc022
SHA256336bfa041bf539249fbd8d3b5a9e47b9a1c0b9b2fe2109e6393eea7ce795a0c4
SHA5122649abc3f3293c50717a1a3b19be84a1fedd3cae70613cf0575782b76b2896a53dd8b60a814e8f70274443b9ab63aa5eb1e411f7ccbf29e7478e21031fbb52dd