Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:57
Behavioral task
behavioral1
Sample
1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe
Resource
win10v2004-20240802-en
General
-
Target
1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe
-
Size
91KB
-
MD5
758bace8cda039bf69fc0911e57c0b70
-
SHA1
cd38f2833fc1f3ef0935fea64835df0adb18224a
-
SHA256
1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5b
-
SHA512
021c2eb621bc84d264cfe20334bfbe4981a69fb675bba9fc90db4c4fd26837daf0a8b69590d35bafb4860688af0d9a37142350a698964b09b24d162587780f90
-
SSDEEP
1536:It/CUcGlrtCdnbDfHmGROwzcWEniB6b6eOyRuC6ZN/9w7bOHjQPjn:kCqBCd/fhROw1EA6b6eTuFNFw7bODQLn
Malware Config
Extracted
xworm
127.0.0.1:63419
-
Install_directory
%AppData%
-
install_file
зсу.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/memory/1672-1-0x0000000001340000-0x000000000135E000-memory.dmp family_xworm behavioral1/files/0x0038000000014504-30.dat family_xworm behavioral1/memory/1100-32-0x0000000000F80000-0x0000000000F9E000-memory.dmp family_xworm behavioral1/memory/2176-34-0x0000000001100000-0x000000000111E000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2376 powershell.exe 2772 powershell.exe 2620 powershell.exe 380 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1100 зсу.exe 2176 зсу.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\зсу = "C:\\Users\\Admin\\AppData\\Roaming\\зсу.exe" 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2376 powershell.exe 2772 powershell.exe 2620 powershell.exe 380 powershell.exe 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2620 powershell.exe Token: SeDebugPrivilege 380 powershell.exe Token: SeDebugPrivilege 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe Token: SeDebugPrivilege 1100 зсу.exe Token: SeDebugPrivilege 2176 зсу.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2376 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 29 PID 1672 wrote to memory of 2376 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 29 PID 1672 wrote to memory of 2376 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 29 PID 1672 wrote to memory of 2772 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 31 PID 1672 wrote to memory of 2772 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 31 PID 1672 wrote to memory of 2772 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 31 PID 1672 wrote to memory of 2620 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 33 PID 1672 wrote to memory of 2620 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 33 PID 1672 wrote to memory of 2620 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 33 PID 1672 wrote to memory of 380 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 35 PID 1672 wrote to memory of 380 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 35 PID 1672 wrote to memory of 380 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 35 PID 1672 wrote to memory of 648 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 37 PID 1672 wrote to memory of 648 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 37 PID 1672 wrote to memory of 648 1672 1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe 37 PID 2340 wrote to memory of 1100 2340 taskeng.exe 42 PID 2340 wrote to memory of 1100 2340 taskeng.exe 42 PID 2340 wrote to memory of 1100 2340 taskeng.exe 42 PID 2340 wrote to memory of 2176 2340 taskeng.exe 43 PID 2340 wrote to memory of 2176 2340 taskeng.exe 43 PID 2340 wrote to memory of 2176 2340 taskeng.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe"C:\Users\Admin\AppData\Local\Temp\1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5bN.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\зсу.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'зсу.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "зсу" /tr "C:\Users\Admin\AppData\Roaming\зсу.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:648
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2A90116E-DE3D-4C13-B5B5-D4822532BE0B} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Roaming\зсу.exeC:\Users\Admin\AppData\Roaming\зсу.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Users\Admin\AppData\Roaming\зсу.exeC:\Users\Admin\AppData\Roaming\зсу.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5409594124236010228b296e5daf69265
SHA16569c750e5dfd4e178c244bc7ade11afacbec25f
SHA25638a0242a87f4c81f90f9f7a9049d7eed8ee27de5831691e1265a437c04c77bb7
SHA512230bca33986300748f19e48783477cdd18c04f3805ef03f6d4212ba0fd99c53b592591b1c9bcc96d4bf9d4c6740ba41c8afb4213d3ee01d481f5b62652efa824
-
Filesize
91KB
MD5758bace8cda039bf69fc0911e57c0b70
SHA1cd38f2833fc1f3ef0935fea64835df0adb18224a
SHA2561a2054fcc986058de7b392795325a85d83ce9612537457b7edd03e8f6ff8dc5b
SHA512021c2eb621bc84d264cfe20334bfbe4981a69fb675bba9fc90db4c4fd26837daf0a8b69590d35bafb4860688af0d9a37142350a698964b09b24d162587780f90