Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
99s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2024, 01:41
Static task
static1
Behavioral task
behavioral1
Sample
81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
Resource
win7-20240903-en
General
-
Target
81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
-
Size
9.6MB
-
MD5
dbbc877901e2a5a8c73c77b28a699960
-
SHA1
c4ac39e195c4c76110958801ef482ac5d1af8941
-
SHA256
81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4
-
SHA512
9fa8359322eaec930786ea003540cf1bbcb7bf11205a5c5b9ef8d55a8cc8ad2c2c6289a010aa8f172443e3895b6c81b290d9145c7557335b8f7c180638bb08da
-
SSDEEP
196608:K7kTvcGFwgJHb9fi4OEcGyYf/be2MAtMJjTPFrh+IRHi6b:K7O0GS079fHckf/a1AyJXX5iE
Malware Config
Extracted
xworm
178.215.236.225:7000
-
Install_directory
%AppData%
-
install_file
TaskSchedular.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000233e7-33.dat family_xworm behavioral2/memory/3632-42-0x0000000000430000-0x000000000044A000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation 81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Phantom Ware.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskSchedular.lnk UD-Drop.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskSchedular.lnk UD-Drop.exe -
Executes dropped EXE 2 IoCs
pid Process 1860 Phantom Ware.exe 3632 UD-Drop.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Phantom Ware.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Phantom Ware.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Phantom Ware.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3632 UD-Drop.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3632 UD-Drop.exe Token: SeDebugPrivilege 3632 UD-Drop.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3632 UD-Drop.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3972 wrote to memory of 1860 3972 81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe 83 PID 3972 wrote to memory of 1860 3972 81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe 83 PID 3972 wrote to memory of 3632 3972 81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe 84 PID 3972 wrote to memory of 3632 3972 81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe"C:\Users\Admin\AppData\Local\Temp\81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe"C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:1860
-
-
C:\Users\Admin\AppData\Roaming\UD-Drop.exe"C:\Users\Admin\AppData\Roaming\UD-Drop.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5b429ae86c5be521bc8ca3b164cec3acb
SHA1387560073ff5a1f2191abc6f75fc34532bbb6dd2
SHA2563ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579
SHA512eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1
-
Filesize
2KB
MD5ec527d9989f4c77edc6d310b7479df90
SHA1b5b9ecf1400a9418a887bd4b0eba79c3830b3e7f
SHA256aca9918e509cf4d3e926fd17ffbda23e6d6fe9d90cf2dfd2df8438a7e51dca4b
SHA5128e0318daeeae18e22224e67594a5afa0ac556b17e58b91cbf5be2d614db732177ceba74c74731c9fe25949cc69d0eb711f908b9b808a434945a3aa541a1b78d0
-
Filesize
21KB
MD53d493a7df15f464b78063ef251166e75
SHA1c6154f595850f412d5aed8aea2c15b5c43007f91
SHA256f8d466af61ebd7bb99c408b87f68f968e8758a2725a13eb11a8355cca3966553
SHA512f3765220c6ecae34d89c446d447000f44b3760bdd6559322bc845c2fed07b6ecec672a4e728449ca73788b730bde229ece2e64426762a081c1a1f1ba0751149e
-
Filesize
135KB
MD5cb6d53d6568d8f4953ca2a8b4fe83171
SHA16b2ff21b333d0052a7ecb22c562fbd15a890595b
SHA256921766a7852fcb4d43af5e488c93fd75c8f9e7d74d09f8f671d17b9e496800c9
SHA512c8060d7b1a76f1203113b22c5bc4b43266bfc0784a44094e145e9d316c00df6b22c22e313ade83ced699f787e1a977ab407ce79187efbd6598d3cf8ca0d2c107
-
Filesize
458B
MD507b9a30265ca4e69c7016a1b6e3ffc27
SHA13a4af82a2695b1423aedd8b60a5c86793c011b02
SHA256c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782
SHA512efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c
-
Filesize
75KB
MD5a375378e75272307aa57d60daf52a685
SHA13349d6fc564e63aefca143b0600172b22f758b6f
SHA2568406be2985a8776e6ee84157e3951ab93c329a53bdceb2c8d21ad82081d3f7ca
SHA512b70d32375c556583c9349aa2dfbfe762ea7bbe9f6e0b7c2e3f516c1e3415bbabf2b0102c3802c18dd3bab2d0307c57d64d8be87394554a2e8b8d6b2997dd2ed0