Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/09/2024, 09:47 UTC

General

  • Target

    FifFaf3.exe

  • Size

    75KB

  • MD5

    3ec64788de487a611bc255a1c2d4e532

  • SHA1

    955c425b7367a4f844e22092e97a64bb6ac092a8

  • SHA256

    9a41404dca669ab7ae093eae45c01d0b8c6e31df93feed36bd39950f8d23b301

  • SHA512

    6c9a14f7c0fee940c0e3d42f5f43ec0937b358d1b5e67e8124c45196626e0c1ea1026506ed6a1d67b0bd63b9d9dfa4937eaff8e32291fa4685a992f386316b68

  • SSDEEP

    1536:Y0XP2FWP19ugE7B2yWCUy8TpbRA+ac5G63SuUEhiOsy34Cqg:m7TWO8dbRAo5RpEOsy34Cr

Malware Config

Extracted

Family

xworm

C2

george-continental.gl.at.ply.gg:25128:1000

Attributes
  • Install_directory

    %AppData%

  • install_file

    SolaraBETA.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe
    "C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FifFaf3.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraBETA.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraBETA.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588

Network

  • flag-us
    DNS
    ip-api.com
    FifFaf3.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    FifFaf3.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 02 Sep 2024 09:47:30 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    FifFaf3.exe
    264 B
    307 B
    4
    3

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 8.8.8.8:53
    ip-api.com
    dns
    FifFaf3.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VIAENLX3WMGKUCWDTIYC.temp

    Filesize

    7KB

    MD5

    a53a4de1aa243f16705e0e6255d8c19d

    SHA1

    a84e04dfc6e08d9001abc2e0572eaf59d7947189

    SHA256

    d590dbe58306ff752b87252521b4a91ab36615be1136c99473ca67e641eeb2cd

    SHA512

    c55d0b28c02471ff439c57da7097bddba974c3315d055f64679536d96d637dfeda0b1a24d3f332f64010a9ff7aaf80c19b9a660adf153117e8a34b850e39242d

  • memory/2848-15-0x000000001B560000-0x000000001B842000-memory.dmp

    Filesize

    2.9MB

  • memory/2848-16-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

  • memory/2880-7-0x0000000002C20000-0x0000000002CA0000-memory.dmp

    Filesize

    512KB

  • memory/2880-8-0x000000001B810000-0x000000001BAF2000-memory.dmp

    Filesize

    2.9MB

  • memory/2880-9-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

    Filesize

    32KB

  • memory/3012-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

    Filesize

    4KB

  • memory/3012-1-0x00000000009A0000-0x00000000009BA000-memory.dmp

    Filesize

    104KB

  • memory/3012-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

    Filesize

    9.9MB

  • memory/3012-28-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

    Filesize

    4KB

  • memory/3012-30-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

    Filesize

    9.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.