Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

RedTigerSetup.exe

windows7-x64

10

RedTigerSetup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 22:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RedTigerSetup.exe

  • Size

    308KB

  • MD5

    08bd9d8eadefed4a4b7323d0027de5b6

  • SHA1

    e165b2a08c8fe165ab8623ad2f1897d67f426ce2

  • SHA256

    0e7104024d8eda4017d891550c1bcc2f5dd9ed80e9ac996898e5cf82a8919a12

  • SHA512

    108797ae485ef95640496fbca226af9185811c9e6d35d46925e66b7bab9ba1ec9c81142ac24d5a561bd603c2cb5f12c49e5a1510d33ffd5474085fda23e6c9cc

  • SSDEEP

    3072:tMPMabg5GKQfjkHVOBpaIEzgmn8d0oX3XEH9eRrPEX+FzwEenQ1/8rEXKuFA9:tMlbIofIH37Z80qXEHwRzkEzfmoy

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

agency-lottery.gl.at.ply.gg:21526

Attributes
  • Install_directory

    %AppData%

  • install_file

    startup.exe

  • telegram

    https://api.telegram.org/bot7319597697:AAHEbms2pAMZzB0yEpJIAUJdEfo9KHqsC4g/sendMessage?chat_id=7534517325

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RedTigerSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\RedTigerSetup.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RedTigerSetup.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RedTigerSetup.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\startup.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'startup.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "startup" /tr "C:\Users\Admin\AppData\Roaming\startup.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1564
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {58ED1B18-71AD-4EE5-84C9-07E3C2D3A44F} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Users\Admin\AppData\Roaming\startup.exe
      C:\Users\Admin\AppData\Roaming\startup.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Users\Admin\AppData\Roaming\startup.exe
      C:\Users\Admin\AppData\Roaming\startup.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    20c12a1b292df4ae6df2a6a8cd18ba78

    SHA1

    e488f565d54802c4327d2f5111148a33bad216b6

    SHA256

    026c7c03a6dd67e90ac52403f4c6ac982ce7b362ba18f08c4dec25ebec99c632

    SHA512

    49f41df878e52789f8fb2aa16bf004ae9f587e35b41a1e85b21721a1e54a6fa83a2c84fb77c20b51a33316e01b8f50c97f621da6ed330b6a406f81efb91a446b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup.exe
    Filesize

    308KB

    MD5

    08bd9d8eadefed4a4b7323d0027de5b6

    SHA1

    e165b2a08c8fe165ab8623ad2f1897d67f426ce2

    SHA256

    0e7104024d8eda4017d891550c1bcc2f5dd9ed80e9ac996898e5cf82a8919a12

    SHA512

    108797ae485ef95640496fbca226af9185811c9e6d35d46925e66b7bab9ba1ec9c81142ac24d5a561bd603c2cb5f12c49e5a1510d33ffd5474085fda23e6c9cc

    Download Submit

  • memory/2476-7-0x00000000027C0000-0x0000000002840000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2476-8-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2476-9-0x0000000001F80000-0x0000000001F88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2724-15-0x000000001B7A0000-0x000000001BA82000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2724-16-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2884-37-0x00000000010C0000-0x0000000001112000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2968-0-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2968-2-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2968-27-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2968-32-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2968-1-0x0000000001300000-0x0000000001352000-memory.dmp

    Filesize

    328KB

    Download