Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    294s
  • max time network
    298s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 02:22

General

  • Target

    XWorm.exe

  • Size

    13.5MB

  • MD5

    1e7daac9ab67c09a7ca1ebceae3326b2

  • SHA1

    7312fc660bf03b863de0d4346e3ef462724626e6

  • SHA256

    5bfca9c997f452d4f001abcdfdd1115aa0ef97d5ba2cc48b4523f6fb87a0ba7a

  • SHA512

    5dd037b2f5e0e71c1190c3d300f257ae3fb5f2f9eac142d03e702058f960c9017f1511767a38403f00aae8ee73d6d5ac91095e8389e6fbc254ea2dbf82d7be90

  • SSDEEP

    196608:KOI24UT0mBlShweFDkiVl9qDgC4lukrWuPqllxlshCsWHmn:KOI2pi7dkiVqUJ5rWdtlsMsWHmn

Malware Config

Extracted

Family

xworm

Version

5.0

C2

las-protected.gl.at.ply.gg:59571

Mutex

57uEOC4VgAs3IeCB

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Uni.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAawB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAeABlACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAcwB2ACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4600
    • C:\Users\Admin\SeroXen.exe
      "C:\Users\Admin\SeroXen.exe"
      2⤵
      • Executes dropped EXE
      PID:4664
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Uni.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decodehex temp.hex "Uni.exe"
        3⤵
        • Manipulates Digital Signatures
        • Deobfuscate/Decode Files or Information
        • System Location Discovery: System Language Discovery
        PID:3652
      • C:\Users\Admin\AppData\Local\Temp\Uni.exe
        Uni.exe
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Uni.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2948
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3664
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4664
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1716
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:636
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:4504
  • C:\Users\Admin\Uni.exe
    C:\Users\Admin\Uni.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3400
  • C:\Users\Admin\Uni.exe
    C:\Users\Admin\Uni.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4148
  • C:\Users\Admin\Uni.exe
    C:\Users\Admin\Uni.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2660
  • C:\Users\Admin\Uni.exe
    C:\Users\Admin\Uni.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5116
  • C:\Users\Admin\Uni.exe
    C:\Users\Admin\Uni.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.exe.log

    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    9b80cd7a712469a4c45fec564313d9eb

    SHA1

    6125c01bc10d204ca36ad1110afe714678655f2d

    SHA256

    5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

    SHA512

    ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    6b1ebf854dcf0ccd1e6d8d6de83a0f57

    SHA1

    01ddcbfe5faa3a87240cf61177f32cef5c3b9c88

    SHA256

    0361076a981e7f8101ba8eed35f1bb85b2d88ea3d91082ef83c5c77b4f51c178

    SHA512

    7e32cc0c0a14d8ecd8d2a6729569932353dab8c5f4070ad30a4c1ac9b94274d840f9a68b33982375116a0a9e0e610a4c4265f083b44c193709d69195602838f0

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    b51dc9e5ec3c97f72b4ca9488bbb4462

    SHA1

    5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

    SHA256

    976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

    SHA512

    0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    d79d8f8781a053d2b73699773468fe9a

    SHA1

    174df4f543a33a51988a561a1fa841f424009d04

    SHA256

    989f8b28fe69178def4a25b47b43d37c776ec50592934fb1693acdcee286bf05

    SHA512

    63baaf9cd27b3769ebd5863ecd5b600ae759ab8567fb68ab2f74bc284a8558df0cff011fb9a625b068180fb7eadee6e89cc58a5676f29e6255eaa279757686e8

  • C:\Users\Admin\AppData\Local\Temp\Uni.exe

    Filesize

    41KB

    MD5

    09e870076cfaa16f20be5050834ba8ff

    SHA1

    0b8b26cdaf08a07b8e86b1643ca23e249c8f3840

    SHA256

    f3fcb094f57ddd9e4c29eccc62e3ad3ce50d40230fbe0f00324ccf18acd68bc4

    SHA512

    d655030bf9bb84ecdd7109aab55c33976e2a2cbd63ccece48d3e881b1dd378e4e17f157a3dd9a07e8786650cbf46b8d742a115cb9906c9b69d7143c2b4de0643

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_msrz5hu1.cvs.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\places.raw

    Filesize

    5.0MB

    MD5

    81412f7f844b75a6c65ed71eac0b9e61

    SHA1

    39b14eb48e13daaf94023482666fc9e13118ba72

    SHA256

    e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019

    SHA512

    63f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a

  • C:\Users\Admin\AppData\Local\Temp\temp.hex

    Filesize

    85KB

    MD5

    fad3aaf3015914e834a9d0313fcd371b

    SHA1

    a4715a153a79263436819905b87b54acae4b2227

    SHA256

    917674ca36b5345dccd41f4ce772c6ffe8c3054520ebd2923fba768cbee77690

    SHA512

    64c9bd116ad70abf9e8bf444f248915383d4b4680de1f6dadad649e0279803c9575952b0e1995a34e47c5a73eb42e23e964437a4a7828d3214f3f694383db83a

  • C:\Users\Admin\AppData\Local\Temp\tmpFC88.tmp.dat

    Filesize

    114KB

    MD5

    242b4242b3c1119f1fb55afbbdd24105

    SHA1

    e1d9c1ed860b67b926fe18206038cd10f77b9c55

    SHA256

    2d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1

    SHA512

    7d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684

  • C:\Users\Admin\AppData\Local\Temp\tmpFCFC.tmp.dat

    Filesize

    116KB

    MD5

    f70aa3fa04f0536280f872ad17973c3d

    SHA1

    50a7b889329a92de1b272d0ecf5fce87395d3123

    SHA256

    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

    SHA512

    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

  • C:\Users\Admin\SeroXen.exe

    Filesize

    13.4MB

    MD5

    43187e3b9c5a826cd84f0b7c5db6513e

    SHA1

    881fd6c6e4201951fddc18b5c3f4d98024837294

    SHA256

    2bb96b6ab92c923027acb944f62d78838471866c5821a5d536c8524faef336de

    SHA512

    34803f750e4f61a43efc9b3126a3f2051de31e7756a86ec3c44fc3824bd811e0359235e0bb74b1df98b978ed22c1f4e13ff1a86cd076967a0be1afbe90d239e7

  • C:\Users\Admin\Uni.bat

    Filesize

    90KB

    MD5

    011e90b162cf67f34f91d6d563859817

    SHA1

    30ce18995be9545ae88189bc3ff5defbd2392d11

    SHA256

    6cced62e6af36a52c48fdf0efb1571a44d6469f4ca66ca510020e5da407ed613

    SHA512

    51d47a852b27540154c8b3ccb295dae4874475bf631be931bf8a4cf271805e927162c7f01e8df7f0aea8b9a860dac3500e59208cb60440bfa8e827325be7a36d

  • memory/1280-142-0x000000001D3C0000-0x000000001D4E0000-memory.dmp

    Filesize

    1.1MB

  • memory/1280-181-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

    Filesize

    56KB

  • memory/1280-223-0x000000001DA00000-0x000000001DD50000-memory.dmp

    Filesize

    3.3MB

  • memory/1280-224-0x000000001E2A0000-0x000000001E350000-memory.dmp

    Filesize

    704KB

  • memory/1280-62-0x0000000000F10000-0x0000000000F20000-memory.dmp

    Filesize

    64KB

  • memory/1280-225-0x000000001ECD0000-0x000000001F1F8000-memory.dmp

    Filesize

    5.2MB

  • memory/1280-227-0x00000000016E0000-0x00000000016EC000-memory.dmp

    Filesize

    48KB

  • memory/2948-87-0x000002A8BD050000-0x000002A8BD072000-memory.dmp

    Filesize

    136KB

  • memory/4600-43-0x0000000006070000-0x00000000060D6000-memory.dmp

    Filesize

    408KB

  • memory/4600-63-0x0000000007680000-0x00000000076B2000-memory.dmp

    Filesize

    200KB

  • memory/4600-76-0x0000000008090000-0x000000000870A000-memory.dmp

    Filesize

    6.5MB

  • memory/4600-77-0x00000000079E0000-0x00000000079FA000-memory.dmp

    Filesize

    104KB

  • memory/4600-78-0x0000000007A60000-0x0000000007A6A000-memory.dmp

    Filesize

    40KB

  • memory/4600-79-0x0000000007C80000-0x0000000007D16000-memory.dmp

    Filesize

    600KB

  • memory/4600-80-0x0000000007BF0000-0x0000000007C01000-memory.dmp

    Filesize

    68KB

  • memory/4600-81-0x0000000007C30000-0x0000000007C3E000-memory.dmp

    Filesize

    56KB

  • memory/4600-82-0x0000000007C40000-0x0000000007C54000-memory.dmp

    Filesize

    80KB

  • memory/4600-83-0x0000000007D20000-0x0000000007D3A000-memory.dmp

    Filesize

    104KB

  • memory/4600-84-0x0000000007C70000-0x0000000007C78000-memory.dmp

    Filesize

    32KB

  • memory/4600-74-0x0000000006C80000-0x0000000006C9E000-memory.dmp

    Filesize

    120KB

  • memory/4600-64-0x0000000070950000-0x000000007099C000-memory.dmp

    Filesize

    304KB

  • memory/4600-75-0x00000000076C0000-0x0000000007763000-memory.dmp

    Filesize

    652KB

  • memory/4600-58-0x0000000006760000-0x00000000067AC000-memory.dmp

    Filesize

    304KB

  • memory/4600-57-0x00000000066D0000-0x00000000066EE000-memory.dmp

    Filesize

    120KB

  • memory/4600-49-0x00000000060E0000-0x0000000006434000-memory.dmp

    Filesize

    3.3MB

  • memory/4600-42-0x0000000006000000-0x0000000006066000-memory.dmp

    Filesize

    408KB

  • memory/4600-41-0x0000000005720000-0x0000000005742000-memory.dmp

    Filesize

    136KB

  • memory/4600-26-0x00000000736BE000-0x00000000736BF000-memory.dmp

    Filesize

    4KB

  • memory/4600-38-0x00000000058D0000-0x0000000005EF8000-memory.dmp

    Filesize

    6.2MB

  • memory/4600-35-0x0000000003190000-0x00000000031A0000-memory.dmp

    Filesize

    64KB

  • memory/4600-37-0x0000000003190000-0x00000000031A0000-memory.dmp

    Filesize

    64KB

  • memory/4600-34-0x0000000003100000-0x0000000003136000-memory.dmp

    Filesize

    216KB

  • memory/4664-36-0x000001B165F10000-0x000001B166C72000-memory.dmp

    Filesize

    13.4MB

  • memory/4664-32-0x00007FFBC67A3000-0x00007FFBC67A5000-memory.dmp

    Filesize

    8KB

  • memory/4664-39-0x000001B169350000-0x000001B169360000-memory.dmp

    Filesize

    64KB