Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Worm.Win32...ma.exe

windows7-x64

10

Worm.Win32...ma.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 05:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Worm.Win32.Ludbaruma.exe

  • Size

    45KB

  • MD5

    db9033e7597d4b6374687f905b6c7a90

  • SHA1

    56f3230e7e082e18bcb6f029a095f3bab0a643f3

  • SHA256

    ca190b44f75e56c761bdac39808ba488b84d948ff761d21e7ebe66a430bc9727

  • SHA512

    92767b84372e6ebfb3190f868888a816f58a230fc5c6d180be37e316219591367fcc8b0061597fb25e0b3c5e2fe43305f3b7310f45bcd3f8e30ad7e4667f8eb7

  • SSDEEP

    768:/mFQj8rM9whcqet8Wfb4JzRJwEIHU5U3rf12WmULgJs7DFK+5nEOK:1AwEmBT4JzRJwEeUW7f12xULgJzOK

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Ludbaruma.exe
    "C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Ludbaruma.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1716
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2728
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2180
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1932
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1632
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2064
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2820
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    12469b824830d0e95c6378ecd565b523

    SHA1

    c83388f871bb84706ed149084aa3bfef6cc554f1

    SHA256

    7c083c155605d7cf41703238787edf1ebb93ef00e73f19a4ca6fa1174f407713

    SHA512

    e06d0b5169894a1e88703d237c02dae2984a543d8b4a7e279624a1835f7fe8e83c25a2513b772b6f1b786b9c8185490948e75e764467a88ddd96601584d846b3

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    ecbaff8874babfc86d2641c85ccdf261

    SHA1

    7c35fb742dbae72cf07039d8f9a81c7ef772dd7e

    SHA256

    a51a1a9bd1ef4848569ccf094544cd715e2842738cc518355baacd51689ee5c9

    SHA512

    469a8be7e447e5c36ad49a0b624d362c35017090e469e0f263c33f4c47159141b91d4f12531f3ada1f796d8c340f828265496bf31f2d62ff81bf21028d89baed

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    a5a472ae4647e6ee540fd44629c3fe6e

    SHA1

    83c0107075297a8e24fc48673bcc82a71479508d

    SHA256

    589722633a2bc0738872d446e7bce4cd426d1be9058e806ff30f8280bb722922

    SHA512

    ba6be73312e2484cae18b1cc004e951e860f51ca40efac5fd8332612ec74c72cdb84f003531feb677decefdd57f8afbcdf818900da5a2d22f5cc26e2163bc4a0

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    45KB

    MD5

    db9033e7597d4b6374687f905b6c7a90

    SHA1

    56f3230e7e082e18bcb6f029a095f3bab0a643f3

    SHA256

    ca190b44f75e56c761bdac39808ba488b84d948ff761d21e7ebe66a430bc9727

    SHA512

    92767b84372e6ebfb3190f868888a816f58a230fc5c6d180be37e316219591367fcc8b0061597fb25e0b3c5e2fe43305f3b7310f45bcd3f8e30ad7e4667f8eb7

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    484db6139bda8363bcae8ab703a5f806

    SHA1

    d218d0ebe59a87ead081b1ac8d57a210e6899942

    SHA256

    be9dd302a08d8260d82c5ad7de93cb208df5e1abb6699166a743308e03ca9faa

    SHA512

    3d4dd74e694de40981f2949f723869cf84880e080775cf79b827897395c1a78389d3c01a27b03e90e4b9e0f9a4d4c21797b44fc1730fa5f8d37a113e9184e8fd

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    5cc282ff17209581bd43e681c6796924

    SHA1

    e5cbb2943889161a687752eaa39f5046d818be84

    SHA256

    a1b428806b372e3e2cf4e501bc733939e430175e93a20d4a8535e0a0a1a17255

    SHA512

    de100a919a1fca4bf28c05a10c9de569ad8fe7868e0a94ed72244881f562c25b34d8e000b71ed7871d5ca61e3b3b4bef287bbbd29e5723fe6df52092265b072e

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    ceea5becf5a7b486e87380aa0f580b94

    SHA1

    52221e4da76fd8dc16a71ef5a34e739ce08f3bcd

    SHA256

    f18369ac0d0c38eb228658d02da5fb35e6cbfac3f0fa926dbfe6a1a2e1e70025

    SHA512

    99f1f8496fc8db47bc367a7ca010ecfa283b20ac39b866db19da74820621349fc5e704d644e2d149d86c45e9d2f4b4e0991eb99faa1a7b65b121a00cd07adf24

    Download Submit

  • memory/1068-183-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1632-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1632-146-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-147-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-118-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-124-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-109-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-180-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-110-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-185-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1932-140-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2064-161-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2180-127-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2728-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2820-178-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download