Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Bootstrapper.exe

windows7-x64

10

Bootstrapper.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    1013KB

  • MD5

    210507ba9a960b68093849ca1a606fed

  • SHA1

    ec3966d9c975e408bdea6db0775ad39c8e2d081e

  • SHA256

    8b35e12a2d6b440fb45dbf5adeef1d889abafee43e344fba9024dc530c39a68d

  • SHA512

    9cc92ab8beb846ccd3ac7b21cad039d8f8895d41469db909344729ae518c71cd9b3ed6014bf9d41efa69e877b94c53cca46016472fe1b3c7b025cd7e006aeb49

  • SSDEEP

    24576:tbFvHB0o0BEFrHBSXyCw8bAHjAqTil/NkiH3uZJ:dFJ0DEPrDAquL3s

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

vehicle-wed.gl.at.ply.gg:2355

Mutex

BB4UoRnpJNUmBuip

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Roaming\Bootstrapper.exe
      "C:\Users\Admin\AppData\Roaming\Bootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2784 -s 968
        3⤵
        • Loads dropped DLL
        PID:2588
    • C:\Users\Admin\AppData\Roaming\Windows Defender.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Bootstrapper.exe
    Filesize

    972KB

    MD5

    90fd25ced85fe6db28d21ae7d1f02e2c

    SHA1

    e27eff4cd4d383f5c564cce2bd1aaa2ffe4ec056

    SHA256

    97572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f

    SHA512

    1c775cf8dfde037eaa98eb14088c70d74923f0f6a83030a71f2f4c1a4453f6154dab7a4aa175e429860badda3e5e0ae226f3c3e8171332f5962bf36f8aa073fa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Defender.exe
    Filesize

    30KB

    MD5

    eee376e8b052bca377e96ba01f3fbfdc

    SHA1

    23fd19d3c2b71a524bd20b981d00ce338ea23d92

    SHA256

    20d73ae92bcc492f15c65ddf64a7cbfb4f35b4fab527477238647cb6a4b20b15

    SHA512

    01788d7ef4c9aa10413691c3f247b0e505c5041426c6e9d9d943d3b52748d0d8b3b65d709998677a194357b476027f5f8c277681482afdbb81a90c2af970252c

    Download Submit

  • memory/2404-0-0x000007FEF5473000-0x000007FEF5474000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2404-1-0x0000000000A60000-0x0000000000B64000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2692-12-0x00000000010C0000-0x00000000010CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2692-15-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-21-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-22-0x000007FEF5470000-0x000007FEF5E5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2784-14-0x00000000000F0000-0x00000000001EA000-memory.dmp

    Filesize

    1000KB

    Download