Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    132s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/09/2024, 06:09

General

  • Target

    Xworm-V5.6/Xworm V5.6 Starter.exe

  • Size

    7.7MB

  • MD5

    bbf43a166ade7e2a0d2b930c41fb20a3

  • SHA1

    d956dd742690aa25a59a84104cd3adbc40fcba78

  • SHA256

    e948b08eb91c2dca67517126d71e5175e222598e6f1928d3ee78560b08e40b2b

  • SHA512

    fcad5fc89da1d823a929cfebcdd19869605d646696f2399b2a84caa78e5a9854622e9d6b4184aba4ae080650513e1db01eb2412d995f87f18c4da90293fe523b

  • SSDEEP

    196608:zKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5x:zmq/pkOYxehohbtB

Malware Config

Extracted

Family

xworm

C2

manufacturer-rank.gl.at.ply.gg:60383

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm V5.6 Starter.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm V5.6 Starter.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Users\Admin\AppData\Local\Temp\Xworm.exe
      "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xworm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xworm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:768
    • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
      "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2560 -s 728
        3⤵
          PID:1488
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {EE6C6172-E9A0-4E56-A33A-F800D2BB366F} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
      1⤵
        PID:2360

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

        Filesize

        14.9MB

        MD5

        56ccb739926a725e78a7acf9af52c4bb

        SHA1

        5b01b90137871c3c8f0d04f510c4d56b23932cbc

        SHA256

        90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

        SHA512

        2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

      • C:\Users\Admin\AppData\Local\Temp\Xworm.exe

        Filesize

        76KB

        MD5

        2440671e67fb9e5087758e8c496d2c3a

        SHA1

        eac0d14a9866208ac6920a7a906eef761b3e0c2a

        SHA256

        e6c4447bc9d07a89b142f89e5011b2fa37eb77a243c9537ef992a1786a6044a3

        SHA512

        6bc35fd57775a3794b49c1e8576ba2e3b05f47a893b604bffeaf38cc01429dcccd5011c29dc80c88cf1fdaa9dd15c6cf168b885d532821939c68a603d7b64d82

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        ff2437ad2c22b96d8fa11da8ff41daaf

        SHA1

        9687d8d4db8617593748d544117085120e24f82b

        SHA256

        8133d72b3f6b85aef38002b52da71f2655df4845a8a9070e9f887ce2d73f0ed0

        SHA512

        19fa628b910f2426fabbfac24ca4f96a2299bb6ac9fd37cd4359b661547cd91b149d9513bb30918f1391c76e203ec274d1b12d55e3b1c8bb09697c06e865a945

      • memory/2008-28-0x000000001B690000-0x000000001B972000-memory.dmp

        Filesize

        2.9MB

      • memory/2008-29-0x00000000026F0000-0x00000000026F8000-memory.dmp

        Filesize

        32KB

      • memory/2288-14-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

        Filesize

        9.9MB

      • memory/2288-1-0x0000000000EC0000-0x0000000001672000-memory.dmp

        Filesize

        7.7MB

      • memory/2288-0-0x000007FEF60F3000-0x000007FEF60F4000-memory.dmp

        Filesize

        4KB

      • memory/2444-21-0x000000001B670000-0x000000001B952000-memory.dmp

        Filesize

        2.9MB

      • memory/2444-22-0x00000000021D0000-0x00000000021D8000-memory.dmp

        Filesize

        32KB

      • memory/2560-13-0x0000000000990000-0x0000000001878000-memory.dmp

        Filesize

        14.9MB

      • memory/2840-7-0x0000000000C00000-0x0000000000C18000-memory.dmp

        Filesize

        96KB

      • memory/2840-15-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

        Filesize

        9.9MB

      • memory/2840-16-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

        Filesize

        9.9MB

      • memory/2840-43-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

        Filesize

        9.9MB

      • memory/2840-44-0x000007FEF60F0000-0x000007FEF6ADC000-memory.dmp

        Filesize

        9.9MB