Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

880cb80d1d...3a.exe

windows7-x64

10

880cb80d1d...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/09/2024, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    880cb80d1d206d83854ee3e6a2ffd5d25a1d3acaa2aa1513842243af5fee233a.exe

  • Size

    41KB

  • MD5

    0897b11d95ee6b03e0aa842a221983c9

  • SHA1

    b1bd0eb1d20bd70706f3a19707719fad18aa4365

  • SHA256

    880cb80d1d206d83854ee3e6a2ffd5d25a1d3acaa2aa1513842243af5fee233a

  • SHA512

    39bdcf88660ee14a0c6b3b6d2402991ab80bbfa05b526cd6d5b10c035a6ebf63b349b3f2c9532f048301f8415c2bbed57bc0f4409273fe8ec2014a63dbd9dc72

  • SSDEEP

    768:f2jIdDG5gT9kyOz8me4jl2QX/p3/FWPG9sq96OOwhfQiXdf:+jIdDG5Dxzleyl2QRFv9sC6OOwRxXp

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

md2hTRMYBpbXprs1

Attributes
  • Install_directory

    %AppData%

  • install_file

    Steam.exe

  • pastebin_url

    https://pastebin.com/raw/Pit7WkAV

  • telegram

    https://api.telegram.org/bot7494729704:AAGLY8mnPxkjjCvoEz520yCBT4GLhlnhRaI/sendMessage?chat_id=7222032715

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\880cb80d1d206d83854ee3e6a2ffd5d25a1d3acaa2aa1513842243af5fee233a.exe
    "C:\Users\Admin\AppData\Local\Temp\880cb80d1d206d83854ee3e6a2ffd5d25a1d3acaa2aa1513842243af5fee233a.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\880cb80d1d206d83854ee3e6a2ffd5d25a1d3acaa2aa1513842243af5fee233a.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '880cb80d1d206d83854ee3e6a2ffd5d25a1d3acaa2aa1513842243af5fee233a.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steam.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1856
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\Users\Admin\AppData\Roaming\Steam.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2116
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1E723DBF-BD0F-459E-A9F5-48FA3FE3919B} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\Roaming\Steam.exe
      C:\Users\Admin\AppData\Roaming\Steam.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1860
    • C:\Users\Admin\AppData\Roaming\Steam.exe
      C:\Users\Admin\AppData\Roaming\Steam.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    f0f5e65d6e833fb6ff1a61659fbef7f1

    SHA1

    07896f897d8df5a8486c411fb0b56af53f4b418f

    SHA256

    e453c6d22b0e9dc4432337ccce4c52bea86d79d6bf3e7e23893b6bf5826d8b28

    SHA512

    84c229e21a4b1bd46093cf618336885c4642551514f5d3584b08a1d37d360728bd6a015d74ae9249fe11da0e08d5ec99a0ceba72db2e9b66673c90fa3bb759fd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Steam.exe
    Filesize

    41KB

    MD5

    0897b11d95ee6b03e0aa842a221983c9

    SHA1

    b1bd0eb1d20bd70706f3a19707719fad18aa4365

    SHA256

    880cb80d1d206d83854ee3e6a2ffd5d25a1d3acaa2aa1513842243af5fee233a

    SHA512

    39bdcf88660ee14a0c6b3b6d2402991ab80bbfa05b526cd6d5b10c035a6ebf63b349b3f2c9532f048301f8415c2bbed57bc0f4409273fe8ec2014a63dbd9dc72

    Download Submit

  • memory/792-40-0x0000000000A40000-0x0000000000A50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1860-38-0x0000000000140000-0x0000000000150000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-32-0x000000001B410000-0x000000001B490000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2248-1-0x00000000010A0000-0x00000000010B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2248-0-0x000007FEF6243000-0x000007FEF6244000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2248-33-0x000000001B410000-0x000000001B490000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2248-27-0x000007FEF6243000-0x000007FEF6244000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2732-14-0x000000001B120000-0x000000001B402000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2732-15-0x0000000002490000-0x0000000002498000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2848-8-0x00000000022A0000-0x00000000022A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2848-7-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2848-6-0x00000000028A0000-0x0000000002920000-memory.dmp

    Filesize

    512KB

    Download