Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/09/2024, 09:47

General

  • Target

    FifFaf3.exe

  • Size

    75KB

  • MD5

    3ec64788de487a611bc255a1c2d4e532

  • SHA1

    955c425b7367a4f844e22092e97a64bb6ac092a8

  • SHA256

    9a41404dca669ab7ae093eae45c01d0b8c6e31df93feed36bd39950f8d23b301

  • SHA512

    6c9a14f7c0fee940c0e3d42f5f43ec0937b358d1b5e67e8124c45196626e0c1ea1026506ed6a1d67b0bd63b9d9dfa4937eaff8e32291fa4685a992f386316b68

  • SSDEEP

    1536:Y0XP2FWP19ugE7B2yWCUy8TpbRA+ac5G63SuUEhiOsy34Cqg:m7TWO8dbRAo5RpEOsy34Cr

Malware Config

Extracted

Family

xworm

C2

george-continental.gl.at.ply.gg:25128:1000

Attributes
  • Install_directory

    %AppData%

  • install_file

    SolaraBETA.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe
    "C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FifFaf3.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraBETA.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraBETA.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VIAENLX3WMGKUCWDTIYC.temp

    Filesize

    7KB

    MD5

    a53a4de1aa243f16705e0e6255d8c19d

    SHA1

    a84e04dfc6e08d9001abc2e0572eaf59d7947189

    SHA256

    d590dbe58306ff752b87252521b4a91ab36615be1136c99473ca67e641eeb2cd

    SHA512

    c55d0b28c02471ff439c57da7097bddba974c3315d055f64679536d96d637dfeda0b1a24d3f332f64010a9ff7aaf80c19b9a660adf153117e8a34b850e39242d

  • memory/2848-15-0x000000001B560000-0x000000001B842000-memory.dmp

    Filesize

    2.9MB

  • memory/2848-16-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

  • memory/2880-7-0x0000000002C20000-0x0000000002CA0000-memory.dmp

    Filesize

    512KB

  • memory/2880-8-0x000000001B810000-0x000000001BAF2000-memory.dmp

    Filesize

    2.9MB

  • memory/2880-9-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

    Filesize

    32KB

  • memory/3012-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

    Filesize

    4KB

  • memory/3012-1-0x00000000009A0000-0x00000000009BA000-memory.dmp

    Filesize

    104KB

  • memory/3012-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

    Filesize

    9.9MB

  • memory/3012-28-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

    Filesize

    4KB

  • memory/3012-30-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

    Filesize

    9.9MB