Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
294s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 02:22
Static task
static1
Behavioral task
behavioral1
Sample
XWorm.exe
Resource
win10v2004-20240802-en
General
-
Target
XWorm.exe
-
Size
13.5MB
-
MD5
1e7daac9ab67c09a7ca1ebceae3326b2
-
SHA1
7312fc660bf03b863de0d4346e3ef462724626e6
-
SHA256
5bfca9c997f452d4f001abcdfdd1115aa0ef97d5ba2cc48b4523f6fb87a0ba7a
-
SHA512
5dd037b2f5e0e71c1190c3d300f257ae3fb5f2f9eac142d03e702058f960c9017f1511767a38403f00aae8ee73d6d5ac91095e8389e6fbc254ea2dbf82d7be90
-
SSDEEP
196608:KOI24UT0mBlShweFDkiVl9qDgC4lukrWuPqllxlshCsWHmn:KOI2pi7dkiVqUJ5rWdtlsMsWHmn
Malware Config
Extracted
xworm
5.0
las-protected.gl.at.ply.gg:59571
57uEOC4VgAs3IeCB
-
Install_directory
%Userprofile%
-
install_file
Uni.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000a0000000234df-60.dat family_xworm behavioral1/memory/1280-62-0x0000000000F10000-0x0000000000F20000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/1280-142-0x000000001D3C0000-0x000000001D4E0000-memory.dmp family_stormkitty -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4664 powershell.exe 1716 powershell.exe 2948 powershell.exe 3664 powershell.exe -
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation XWorm.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation Uni.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk Uni.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk Uni.exe -
Executes dropped EXE 7 IoCs
pid Process 4664 SeroXen.exe 1280 Uni.exe 3400 Uni.exe 4148 Uni.exe 2660 Uni.exe 5116 Uni.exe 2224 Uni.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe" Uni.exe -
pid Process 3652 certutil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWorm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4504 netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 636 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 4600 powershell.exe 4600 powershell.exe 2948 powershell.exe 2948 powershell.exe 2948 powershell.exe 3664 powershell.exe 3664 powershell.exe 3664 powershell.exe 4664 powershell.exe 4664 powershell.exe 4664 powershell.exe 1716 powershell.exe 1716 powershell.exe 1716 powershell.exe 1280 Uni.exe 1280 Uni.exe 1280 Uni.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4600 powershell.exe Token: SeDebugPrivilege 1280 Uni.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 3664 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 1280 Uni.exe Token: SeDebugPrivilege 3400 Uni.exe Token: SeDebugPrivilege 4148 Uni.exe Token: SeDebugPrivilege 2660 Uni.exe Token: SeDebugPrivilege 5116 Uni.exe Token: SeDebugPrivilege 2224 Uni.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1280 Uni.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1692 wrote to memory of 4600 1692 XWorm.exe 86 PID 1692 wrote to memory of 4600 1692 XWorm.exe 86 PID 1692 wrote to memory of 4600 1692 XWorm.exe 86 PID 1692 wrote to memory of 4664 1692 XWorm.exe 88 PID 1692 wrote to memory of 4664 1692 XWorm.exe 88 PID 1692 wrote to memory of 2244 1692 XWorm.exe 89 PID 1692 wrote to memory of 2244 1692 XWorm.exe 89 PID 1692 wrote to memory of 2244 1692 XWorm.exe 89 PID 2244 wrote to memory of 3652 2244 cmd.exe 93 PID 2244 wrote to memory of 3652 2244 cmd.exe 93 PID 2244 wrote to memory of 3652 2244 cmd.exe 93 PID 2244 wrote to memory of 1280 2244 cmd.exe 97 PID 2244 wrote to memory of 1280 2244 cmd.exe 97 PID 1280 wrote to memory of 2948 1280 Uni.exe 104 PID 1280 wrote to memory of 2948 1280 Uni.exe 104 PID 1280 wrote to memory of 3664 1280 Uni.exe 106 PID 1280 wrote to memory of 3664 1280 Uni.exe 106 PID 1280 wrote to memory of 4664 1280 Uni.exe 108 PID 1280 wrote to memory of 4664 1280 Uni.exe 108 PID 1280 wrote to memory of 1716 1280 Uni.exe 110 PID 1280 wrote to memory of 1716 1280 Uni.exe 110 PID 1280 wrote to memory of 636 1280 Uni.exe 113 PID 1280 wrote to memory of 636 1280 Uni.exe 113 PID 1280 wrote to memory of 2296 1280 Uni.exe 131 PID 1280 wrote to memory of 2296 1280 Uni.exe 131 PID 2296 wrote to memory of 4504 2296 cmd.exe 133 PID 2296 wrote to memory of 4504 2296 cmd.exe 133 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm.exe"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAawB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAeABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAcwB2ACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Users\Admin\SeroXen.exe"C:\Users\Admin\SeroXen.exe"2⤵
- Executes dropped EXE
PID:4664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Uni.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\certutil.execertutil -decodehex temp.hex "Uni.exe"3⤵
- Manipulates Digital Signatures
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:3652
-
-
C:\Users\Admin\AppData\Local\Temp\Uni.exeUni.exe3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Uni.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:636
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4504
-
-
-
-
-
C:\Users\Admin\Uni.exeC:\Users\Admin\Uni.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
C:\Users\Admin\Uni.exeC:\Users\Admin\Uni.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
C:\Users\Admin\Uni.exeC:\Users\Admin\Uni.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
C:\Users\Admin\Uni.exeC:\Users\Admin\Uni.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
C:\Users\Admin\Uni.exeC:\Users\Admin\Uni.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Deobfuscate/Decode Files or Information
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
944B
MD56b1ebf854dcf0ccd1e6d8d6de83a0f57
SHA101ddcbfe5faa3a87240cf61177f32cef5c3b9c88
SHA2560361076a981e7f8101ba8eed35f1bb85b2d88ea3d91082ef83c5c77b4f51c178
SHA5127e32cc0c0a14d8ecd8d2a6729569932353dab8c5f4070ad30a4c1ac9b94274d840f9a68b33982375116a0a9e0e610a4c4265f083b44c193709d69195602838f0
-
Filesize
944B
MD5b51dc9e5ec3c97f72b4ca9488bbb4462
SHA15c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA5120e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280
-
Filesize
18KB
MD5d79d8f8781a053d2b73699773468fe9a
SHA1174df4f543a33a51988a561a1fa841f424009d04
SHA256989f8b28fe69178def4a25b47b43d37c776ec50592934fb1693acdcee286bf05
SHA51263baaf9cd27b3769ebd5863ecd5b600ae759ab8567fb68ab2f74bc284a8558df0cff011fb9a625b068180fb7eadee6e89cc58a5676f29e6255eaa279757686e8
-
Filesize
41KB
MD509e870076cfaa16f20be5050834ba8ff
SHA10b8b26cdaf08a07b8e86b1643ca23e249c8f3840
SHA256f3fcb094f57ddd9e4c29eccc62e3ad3ce50d40230fbe0f00324ccf18acd68bc4
SHA512d655030bf9bb84ecdd7109aab55c33976e2a2cbd63ccece48d3e881b1dd378e4e17f157a3dd9a07e8786650cbf46b8d742a115cb9906c9b69d7143c2b4de0643
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.0MB
MD581412f7f844b75a6c65ed71eac0b9e61
SHA139b14eb48e13daaf94023482666fc9e13118ba72
SHA256e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019
SHA51263f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a
-
Filesize
85KB
MD5fad3aaf3015914e834a9d0313fcd371b
SHA1a4715a153a79263436819905b87b54acae4b2227
SHA256917674ca36b5345dccd41f4ce772c6ffe8c3054520ebd2923fba768cbee77690
SHA51264c9bd116ad70abf9e8bf444f248915383d4b4680de1f6dadad649e0279803c9575952b0e1995a34e47c5a73eb42e23e964437a4a7828d3214f3f694383db83a
-
Filesize
114KB
MD5242b4242b3c1119f1fb55afbbdd24105
SHA1e1d9c1ed860b67b926fe18206038cd10f77b9c55
SHA2562d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1
SHA5127d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
13.4MB
MD543187e3b9c5a826cd84f0b7c5db6513e
SHA1881fd6c6e4201951fddc18b5c3f4d98024837294
SHA2562bb96b6ab92c923027acb944f62d78838471866c5821a5d536c8524faef336de
SHA51234803f750e4f61a43efc9b3126a3f2051de31e7756a86ec3c44fc3824bd811e0359235e0bb74b1df98b978ed22c1f4e13ff1a86cd076967a0be1afbe90d239e7
-
Filesize
90KB
MD5011e90b162cf67f34f91d6d563859817
SHA130ce18995be9545ae88189bc3ff5defbd2392d11
SHA2566cced62e6af36a52c48fdf0efb1571a44d6469f4ca66ca510020e5da407ed613
SHA51251d47a852b27540154c8b3ccb295dae4874475bf631be931bf8a4cf271805e927162c7f01e8df7f0aea8b9a860dac3500e59208cb60440bfa8e827325be7a36d