Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 09:47
Behavioral task
behavioral1
Sample
FifFaf3.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
FifFaf3.exe
Resource
win10v2004-20240802-en
General
-
Target
FifFaf3.exe
-
Size
75KB
-
MD5
3ec64788de487a611bc255a1c2d4e532
-
SHA1
955c425b7367a4f844e22092e97a64bb6ac092a8
-
SHA256
9a41404dca669ab7ae093eae45c01d0b8c6e31df93feed36bd39950f8d23b301
-
SHA512
6c9a14f7c0fee940c0e3d42f5f43ec0937b358d1b5e67e8124c45196626e0c1ea1026506ed6a1d67b0bd63b9d9dfa4937eaff8e32291fa4685a992f386316b68
-
SSDEEP
1536:Y0XP2FWP19ugE7B2yWCUy8TpbRA+ac5G63SuUEhiOsy34Cqg:m7TWO8dbRAo5RpEOsy34Cr
Malware Config
Extracted
xworm
george-continental.gl.at.ply.gg:25128:1000
-
Install_directory
%AppData%
-
install_file
SolaraBETA.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/3012-1-0x00000000009A0000-0x00000000009BA000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2848 powershell.exe 2624 powershell.exe 2588 powershell.exe 2880 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SolaraBETA = "C:\\Users\\Admin\\AppData\\Roaming\\SolaraBETA.exe" FifFaf3.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2880 powershell.exe 2848 powershell.exe 2624 powershell.exe 2588 powershell.exe 3012 FifFaf3.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3012 FifFaf3.exe Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 3012 FifFaf3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3012 FifFaf3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2880 3012 FifFaf3.exe 31 PID 3012 wrote to memory of 2880 3012 FifFaf3.exe 31 PID 3012 wrote to memory of 2880 3012 FifFaf3.exe 31 PID 3012 wrote to memory of 2848 3012 FifFaf3.exe 33 PID 3012 wrote to memory of 2848 3012 FifFaf3.exe 33 PID 3012 wrote to memory of 2848 3012 FifFaf3.exe 33 PID 3012 wrote to memory of 2624 3012 FifFaf3.exe 35 PID 3012 wrote to memory of 2624 3012 FifFaf3.exe 35 PID 3012 wrote to memory of 2624 3012 FifFaf3.exe 35 PID 3012 wrote to memory of 2588 3012 FifFaf3.exe 37 PID 3012 wrote to memory of 2588 3012 FifFaf3.exe 37 PID 3012 wrote to memory of 2588 3012 FifFaf3.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe"C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FifFaf3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FifFaf3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SolaraBETA.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SolaraBETA.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VIAENLX3WMGKUCWDTIYC.temp
Filesize7KB
MD5a53a4de1aa243f16705e0e6255d8c19d
SHA1a84e04dfc6e08d9001abc2e0572eaf59d7947189
SHA256d590dbe58306ff752b87252521b4a91ab36615be1136c99473ca67e641eeb2cd
SHA512c55d0b28c02471ff439c57da7097bddba974c3315d055f64679536d96d637dfeda0b1a24d3f332f64010a9ff7aaf80c19b9a660adf153117e8a34b850e39242d