Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 06:31
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
test.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
test.exe
Resource
win10v2004-20240802-en
General
-
Target
test.exe
-
Size
32KB
-
MD5
9ef813f8d17e2b07e3e22ca9136cfde3
-
SHA1
5b75837d1ec6b17af46ea657431424e876977b0b
-
SHA256
893847d848f3a7dad901866ad350530f91100d52c3db60fbefec8a9f33f1d472
-
SHA512
8862cd1cb967ccb66106f031ef37fc6dbc4a240101aa3782b66b5f5a0810e78dfc47eab8c5ce0c26e7acc637ecdf391b4f0ea6d4ec99411e4e5bf270aad083b6
-
SSDEEP
768:mRPD9OQhx/Bg3Tw4xKdVFE9jAVLFOjh1b2:md9OW/g3U4xcFE9jAVLFOjXK
Malware Config
Extracted
xworm
5.0
4.tcp.eu.ngrok.io:19050
FT7jVsIDwcsDC2pB
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2304-1-0x0000000000A10000-0x0000000000A1E000-memory.dmp family_xworm -
Deletes itself 1 IoCs
pid Process 2540 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 4.tcp.eu.ngrok.io -
Delays execution with timeout.exe 1 IoCs
pid Process 2616 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2304 test.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2540 2304 test.exe 32 PID 2304 wrote to memory of 2540 2304 test.exe 32 PID 2304 wrote to memory of 2540 2304 test.exe 32 PID 2540 wrote to memory of 2616 2540 cmd.exe 34 PID 2540 wrote to memory of 2616 2540 cmd.exe 34 PID 2540 wrote to memory of 2616 2540 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp95D9.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD55d61a11b0df06c6b5e8ed119ba77b254
SHA1071e2c463e2972d7c3c42852a398f68f6feb0320
SHA256434ab45d109ab814da51d8eda6aba555e684334b3fb12387977a58c26bc60ddf
SHA5128fdfd96d1eed1a2f83b7818cbc8250b5bc8941707615d256d0901b54da21e4963f0232f1fe4a340c92c48622e85c4e1c557f96a7de6f77fd1c8ca0009ff7228c