Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 06:09
Behavioral task
behavioral1
Sample
Xworm-V5.6/Xworm V5.6 Starter.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Xworm-V5.6/Xworm V5.6 Starter.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Xworm-V5.6/Xworm V5.6.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
Xworm-V5.6/Xworm V5.6.exe
Resource
win10v2004-20240802-en
General
-
Target
Xworm-V5.6/Xworm V5.6 Starter.exe
-
Size
7.7MB
-
MD5
bbf43a166ade7e2a0d2b930c41fb20a3
-
SHA1
d956dd742690aa25a59a84104cd3adbc40fcba78
-
SHA256
e948b08eb91c2dca67517126d71e5175e222598e6f1928d3ee78560b08e40b2b
-
SHA512
fcad5fc89da1d823a929cfebcdd19869605d646696f2399b2a84caa78e5a9854622e9d6b4184aba4ae080650513e1db01eb2412d995f87f18c4da90293fe523b
-
SSDEEP
196608:zKLCFU/jHq/puROyhxeyOC7+oiRkbtejBe5x:zmq/pkOYxehohbtB
Malware Config
Extracted
xworm
manufacturer-rank.gl.at.ply.gg:60383
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000a00000001202c-5.dat family_xworm behavioral1/memory/2840-7-0x0000000000C00000-0x0000000000C18000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2444 powershell.exe 2008 powershell.exe 1208 powershell.exe 2896 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk Xworm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk Xworm.exe -
Executes dropped EXE 2 IoCs
pid Process 2840 Xworm.exe 2560 Xworm V5.6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User" Xworm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2444 powershell.exe 2008 powershell.exe 1208 powershell.exe 2896 powershell.exe 2840 Xworm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2840 Xworm.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2840 Xworm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2840 Xworm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2840 2288 Xworm V5.6 Starter.exe 30 PID 2288 wrote to memory of 2840 2288 Xworm V5.6 Starter.exe 30 PID 2288 wrote to memory of 2840 2288 Xworm V5.6 Starter.exe 30 PID 2288 wrote to memory of 2560 2288 Xworm V5.6 Starter.exe 31 PID 2288 wrote to memory of 2560 2288 Xworm V5.6 Starter.exe 31 PID 2288 wrote to memory of 2560 2288 Xworm V5.6 Starter.exe 31 PID 2560 wrote to memory of 1488 2560 Xworm V5.6.exe 33 PID 2560 wrote to memory of 1488 2560 Xworm V5.6.exe 33 PID 2560 wrote to memory of 1488 2560 Xworm V5.6.exe 33 PID 2840 wrote to memory of 2444 2840 Xworm.exe 34 PID 2840 wrote to memory of 2444 2840 Xworm.exe 34 PID 2840 wrote to memory of 2444 2840 Xworm.exe 34 PID 2840 wrote to memory of 2008 2840 Xworm.exe 36 PID 2840 wrote to memory of 2008 2840 Xworm.exe 36 PID 2840 wrote to memory of 2008 2840 Xworm.exe 36 PID 2840 wrote to memory of 1208 2840 Xworm.exe 38 PID 2840 wrote to memory of 1208 2840 Xworm.exe 38 PID 2840 wrote to memory of 1208 2840 Xworm.exe 38 PID 2840 wrote to memory of 2896 2840 Xworm.exe 40 PID 2840 wrote to memory of 2896 2840 Xworm.exe 40 PID 2840 wrote to memory of 2896 2840 Xworm.exe 40 PID 2840 wrote to memory of 768 2840 Xworm.exe 42 PID 2840 wrote to memory of 768 2840 Xworm.exe 42 PID 2840 wrote to memory of 768 2840 Xworm.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm V5.6 Starter.exe"C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm V5.6 Starter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\Xworm.exe"C:\Users\Admin\AppData\Local\Temp\Xworm.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xworm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xworm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"3⤵
- Scheduled Task/Job: Scheduled Task
PID:768
-
-
-
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2560 -s 7283⤵PID:1488
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EE6C6172-E9A0-4E56-A33A-F800D2BB366F} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]1⤵PID:2360
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.9MB
MD556ccb739926a725e78a7acf9af52c4bb
SHA15b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA25690f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA5122fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
Filesize
76KB
MD52440671e67fb9e5087758e8c496d2c3a
SHA1eac0d14a9866208ac6920a7a906eef761b3e0c2a
SHA256e6c4447bc9d07a89b142f89e5011b2fa37eb77a243c9537ef992a1786a6044a3
SHA5126bc35fd57775a3794b49c1e8576ba2e3b05f47a893b604bffeaf38cc01429dcccd5011c29dc80c88cf1fdaa9dd15c6cf168b885d532821939c68a603d7b64d82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ff2437ad2c22b96d8fa11da8ff41daaf
SHA19687d8d4db8617593748d544117085120e24f82b
SHA2568133d72b3f6b85aef38002b52da71f2655df4845a8a9070e9f887ce2d73f0ed0
SHA51219fa628b910f2426fabbfac24ca4f96a2299bb6ac9fd37cd4359b661547cd91b149d9513bb30918f1391c76e203ec274d1b12d55e3b1c8bb09697c06e865a945