Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/08/2024, 17:13
Behavioral task
behavioral1
Sample
xcvvcxt.exe
Resource
win11-20240802-en
General
-
Target
xcvvcxt.exe
-
Size
71KB
-
MD5
52d2a1a3deaeef7265f59db93f08f6a8
-
SHA1
f149bd23adbdd98bd1eaf67960d6ea50ad9a6abb
-
SHA256
40757554eb21a52d4700d04e7247042974e177f13370d799f115be591d16ce63
-
SHA512
c5013a3bb4ff061c4f0e36ade32dcc86be69dbe28516600597329c0a53c467e2b2300a10196aa88d2ef97a405f9c002a87c5e64503a0242a9ecfe502eb75bc0d
-
SSDEEP
1536:aDiF2GFihkZNcSKYjUoA6ybueXcMS2+fL6AOOAcdt+RnMX:uiXJZaPYgAybpX3S2+hOOADFMX
Malware Config
Extracted
xworm
reason-scoop.gl.at.ply.gg:16546
-
Install_directory
%LocalAppData%
-
install_file
Java Update Scheduler.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/3468-1-0x00000000007F0000-0x0000000000808000-memory.dmp family_xworm behavioral1/files/0x000800000002a920-58.dat family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2160 powershell.exe 8 powershell.exe 2616 powershell.exe 328 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Scheduler.lnk xcvvcxt.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Scheduler.lnk xcvvcxt.exe -
Executes dropped EXE 3 IoCs
pid Process 3520 Java Update Scheduler.exe 3032 Java Update Scheduler.exe 4812 Java Update Scheduler.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update Scheduler = "C:\\Users\\Admin\\AppData\\Local\\Java Update Scheduler.exe" xcvvcxt.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1900 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2616 powershell.exe 2616 powershell.exe 328 powershell.exe 328 powershell.exe 2160 powershell.exe 2160 powershell.exe 8 powershell.exe 8 powershell.exe 3468 xcvvcxt.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3468 xcvvcxt.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 328 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 3468 xcvvcxt.exe Token: SeDebugPrivilege 3520 Java Update Scheduler.exe Token: SeDebugPrivilege 3032 Java Update Scheduler.exe Token: SeDebugPrivilege 4812 Java Update Scheduler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3468 xcvvcxt.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3468 wrote to memory of 2616 3468 xcvvcxt.exe 84 PID 3468 wrote to memory of 2616 3468 xcvvcxt.exe 84 PID 3468 wrote to memory of 328 3468 xcvvcxt.exe 86 PID 3468 wrote to memory of 328 3468 xcvvcxt.exe 86 PID 3468 wrote to memory of 2160 3468 xcvvcxt.exe 89 PID 3468 wrote to memory of 2160 3468 xcvvcxt.exe 89 PID 3468 wrote to memory of 8 3468 xcvvcxt.exe 91 PID 3468 wrote to memory of 8 3468 xcvvcxt.exe 91 PID 3468 wrote to memory of 1900 3468 xcvvcxt.exe 93 PID 3468 wrote to memory of 1900 3468 xcvvcxt.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\xcvvcxt.exe"C:\Users\Admin\AppData\Local\Temp\xcvvcxt.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xcvvcxt.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xcvvcxt.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Java Update Scheduler.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Scheduler.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Java Update Scheduler" /tr "C:\Users\Admin\AppData\Local\Java Update Scheduler.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1900
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2432
-
C:\Users\Admin\AppData\Local\Java Update Scheduler.exe"C:\Users\Admin\AppData\Local\Java Update Scheduler.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
C:\Users\Admin\AppData\Local\Java Update Scheduler.exe"C:\Users\Admin\AppData\Local\Java Update Scheduler.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Users\Admin\AppData\Local\Java Update Scheduler.exe"C:\Users\Admin\AppData\Local\Java Update Scheduler.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD552d2a1a3deaeef7265f59db93f08f6a8
SHA1f149bd23adbdd98bd1eaf67960d6ea50ad9a6abb
SHA25640757554eb21a52d4700d04e7247042974e177f13370d799f115be591d16ce63
SHA512c5013a3bb4ff061c4f0e36ade32dcc86be69dbe28516600597329c0a53c467e2b2300a10196aa88d2ef97a405f9c002a87c5e64503a0242a9ecfe502eb75bc0d
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
944B
MD5fb64985eb65ff03449724256acec5ab0
SHA16e65d6919e613eeb21e1efb38dc82d319fdf9bd1
SHA2561c8634d4efd6aba18bd0c294f82330df95fe2611129b824a0dd108537b308f28
SHA512364d9caf73d5d2180893250ba17d0611fc5baf5636284b79312e5f232c4f10b2f2c241f522276712f163d8e7124d73cc88ca077a8eb9fb39059475737daa90d3
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82