Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/09/2024, 01:07
Static task
static1
Behavioral task
behavioral1
Sample
c9IDU7463.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c9IDU7463.exe
Resource
win10v2004-20240802-en
General
-
Target
c9IDU7463.exe
-
Size
971KB
-
MD5
26efc684ddd0782b295a6ee4a76e3256
-
SHA1
08cc73ef5c1b02e09765181a5acee1a7018dcffc
-
SHA256
bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab
-
SHA512
20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49
-
SSDEEP
24576:5tVd1nnqxDvo1QtHCX1LcsRt0ni/V27INjQL:5tVDnquatHCX1Lcs422kpQL
Malware Config
Extracted
xworm
127.0.0.1:7000
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00130000000054a9-54.dat family_xworm behavioral1/memory/1544-56-0x0000000000030000-0x0000000000052000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1792 powershell.exe 2240 powershell.exe 1828 powershell.exe 2352 powershell.exe 2148 powershell.exe 1596 powershell.exe -
Deletes itself 1 IoCs
pid Process 2444 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk Windows Security Notification.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk Windows Security Notification.exe -
Executes dropped EXE 3 IoCs
pid Process 2108 Client Server Runtime Process.exe 752 Windows Security.exe 1544 Windows Security Notification.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\malware builder = "C:\\Users\\Admin\\AppData\\Roaming\\malware builder" Windows Security Notification.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\System32\Client Server Runtime Process.exe c9IDU7463.exe File opened for modification C:\Windows\System32\Client Server Runtime Process.exe c9IDU7463.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1224 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2836 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1544 Windows Security Notification.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2436 c9IDU7463.exe 2436 c9IDU7463.exe 2436 c9IDU7463.exe 2240 powershell.exe 1828 powershell.exe 2056 powershell.exe 3000 powershell.exe 2352 powershell.exe 2148 powershell.exe 1596 powershell.exe 1792 powershell.exe 1544 Windows Security Notification.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2436 c9IDU7463.exe Token: SeBackupPrivilege 2132 vssvc.exe Token: SeRestorePrivilege 2132 vssvc.exe Token: SeAuditPrivilege 2132 vssvc.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 2108 Client Server Runtime Process.exe Token: SeDebugPrivilege 2108 Client Server Runtime Process.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 1544 Windows Security Notification.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 1544 Windows Security Notification.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1544 Windows Security Notification.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2240 2436 c9IDU7463.exe 34 PID 2436 wrote to memory of 2240 2436 c9IDU7463.exe 34 PID 2436 wrote to memory of 2240 2436 c9IDU7463.exe 34 PID 2436 wrote to memory of 1828 2436 c9IDU7463.exe 36 PID 2436 wrote to memory of 1828 2436 c9IDU7463.exe 36 PID 2436 wrote to memory of 1828 2436 c9IDU7463.exe 36 PID 2436 wrote to memory of 2444 2436 c9IDU7463.exe 40 PID 2436 wrote to memory of 2444 2436 c9IDU7463.exe 40 PID 2436 wrote to memory of 2444 2436 c9IDU7463.exe 40 PID 2444 wrote to memory of 1224 2444 cmd.exe 42 PID 2444 wrote to memory of 1224 2444 cmd.exe 42 PID 2444 wrote to memory of 1224 2444 cmd.exe 42 PID 2032 wrote to memory of 2108 2032 taskeng.exe 43 PID 2032 wrote to memory of 2108 2032 taskeng.exe 43 PID 2032 wrote to memory of 2108 2032 taskeng.exe 43 PID 2108 wrote to memory of 2056 2108 Client Server Runtime Process.exe 44 PID 2108 wrote to memory of 2056 2108 Client Server Runtime Process.exe 44 PID 2108 wrote to memory of 2056 2108 Client Server Runtime Process.exe 44 PID 2108 wrote to memory of 752 2108 Client Server Runtime Process.exe 46 PID 2108 wrote to memory of 752 2108 Client Server Runtime Process.exe 46 PID 2108 wrote to memory of 752 2108 Client Server Runtime Process.exe 46 PID 752 wrote to memory of 3000 752 Windows Security.exe 47 PID 752 wrote to memory of 3000 752 Windows Security.exe 47 PID 752 wrote to memory of 3000 752 Windows Security.exe 47 PID 752 wrote to memory of 1544 752 Windows Security.exe 49 PID 752 wrote to memory of 1544 752 Windows Security.exe 49 PID 752 wrote to memory of 1544 752 Windows Security.exe 49 PID 1544 wrote to memory of 2352 1544 Windows Security Notification.exe 50 PID 1544 wrote to memory of 2352 1544 Windows Security Notification.exe 50 PID 1544 wrote to memory of 2352 1544 Windows Security Notification.exe 50 PID 1544 wrote to memory of 2148 1544 Windows Security Notification.exe 52 PID 1544 wrote to memory of 2148 1544 Windows Security Notification.exe 52 PID 1544 wrote to memory of 2148 1544 Windows Security Notification.exe 52 PID 1544 wrote to memory of 1596 1544 Windows Security Notification.exe 54 PID 1544 wrote to memory of 1596 1544 Windows Security Notification.exe 54 PID 1544 wrote to memory of 1596 1544 Windows Security Notification.exe 54 PID 1544 wrote to memory of 1792 1544 Windows Security Notification.exe 56 PID 1544 wrote to memory of 1792 1544 Windows Security Notification.exe 56 PID 1544 wrote to memory of 1792 1544 Windows Security Notification.exe 56 PID 1544 wrote to memory of 2836 1544 Windows Security Notification.exe 58 PID 1544 wrote to memory of 2836 1544 Windows Security Notification.exe 58 PID 1544 wrote to memory of 2836 1544 Windows Security Notification.exe 58 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client Server Runtime Process.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD079.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1224
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
C:\Windows\system32\taskeng.exetaskeng.exe {A54C3C24-CC1C-4596-A0A6-9A2887C56A43} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\System32\Client Server Runtime Process.exe"C:\Windows\System32\Client Server Runtime Process.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAYgBqACMAPgA="3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAZQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAegB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQBuACMAPgA="4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Notification.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\malware builder'5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'malware builder'5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "malware builder" /tr "C:\Users\Admin\AppData\Roaming\malware builder"5⤵
- Scheduled Task/Job: Scheduled Task
PID:2836
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5d59bcf447ab9a90d1c6e9701d85d5700
SHA1c7eff0f1d56e71a601cff1e161879ea520886a32
SHA25650738407f70e37470182a0da6b44e78eb9cd2be3f7c43e066ea85f92388c79ae
SHA5124a33de1700a6740c354d79b6e2f706dbc924805b6c8aae03d68cf17427e52a58e65a177622266f4d4e9d0d0904d8ab7a55af2576d555bcc5868b9084730e7180
-
Filesize
164KB
MD59efb0ca4f150666bedbc6ef91e0e6f4b
SHA113b140227e709d3a534d4158111c9256b14474b3
SHA2565ff4fc5985d8d9877dd5b4abe081ee91681b187e99a466b802a8795fd9e500ab
SHA5127e16155776a1431eda8da3b2fe134b52863c0917170dc64ded710c5133705a0c019c930f696d5972a0a63270f59900cfca4b776631c0b5442c62696db4f7ca36
-
Filesize
161B
MD585b198e0ceb42e8889a3431ab462862b
SHA12e8fd589d5f90ec3c2f245ef110da367ea79f2bb
SHA256a386e2faba834a3fcbc453b9a7b7052172bafe7d4cd896a7d5afc34c3ed54a21
SHA512883a102def4f360e5ced0933783ed583898b212a6d33d6b5aaabbc66614304862a1da526bcf1b77a3bdb7f36e3c9611d2aa83fe4d15e1fce0c4207a5464095b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54f0e7ccd703c3fcd69deb7430a7c1ad4
SHA1546d29162a2049e0f303e49e868d87bbf28c966b
SHA25607267bdd7040491adeba7359298e6d2f7705e9fb26e3e2efcac128232f071d99
SHA512d2429c6a250fda52ead3db49b5a510b0d09387c9bcee2d57a8c83d7c2a3d05dbf21d890cf42d700b328f4c971f9b5a51d57d7be0691c041e186b80397accb129
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c61513dd7527e37e9c087a0f88fe04d1
SHA175eb2a959cd1a856578d528c0ccca2000dc17d96
SHA256a5db6933d1889f0918ce2cbda2d90fc59b4848f59752f24c6673ec75cb10fa60
SHA5129bcab283524db58c9b6ded3d18e48fe2d1ef29477d944e34335fda580b336f1a73638e8d61d2aa4dfbf70444fa1feebb10ead0f33178ff939abe09a0ec9667c7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cb9d70b4fd0ab956e11225408571ddf0
SHA114e11e12a44378d612e185152a967ede6e9644c5
SHA2563c98d1e70f6d4a487698324a5225295e790ccc636a694fba48406610023e287c
SHA512ad775e101034601d1a26b3ed6f5a231409befced88adf51c5bc3fb34e6cf346f96d0953f012d69d7c7cb712cf4c48412be9254d9a389d806e6be9b63bd1a0d33
-
Filesize
971KB
MD526efc684ddd0782b295a6ee4a76e3256
SHA108cc73ef5c1b02e09765181a5acee1a7018dcffc
SHA256bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab
SHA51220ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49