Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    99s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 01:41

General

  • Target

    81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe

  • Size

    9.6MB

  • MD5

    dbbc877901e2a5a8c73c77b28a699960

  • SHA1

    c4ac39e195c4c76110958801ef482ac5d1af8941

  • SHA256

    81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4

  • SHA512

    9fa8359322eaec930786ea003540cf1bbcb7bf11205a5c5b9ef8d55a8cc8ad2c2c6289a010aa8f172443e3895b6c81b290d9145c7557335b8f7c180638bb08da

  • SSDEEP

    196608:K7kTvcGFwgJHb9fi4OEcGyYf/be2MAtMJjTPFrh+IRHi6b:K7O0GS079fHckf/a1AyJXX5iE

Score
10/10

Malware Config

Extracted

Family

xworm

C2

178.215.236.225:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    TaskSchedular.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe
    "C:\Users\Admin\AppData\Local\Temp\81839d52f85aa59a48e43f297ddd2017afa31e93f65f3c1d9baae9a0b23deec4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe
      "C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Enumerates system info in registry
      PID:1860
    • C:\Users\Admin\AppData\Roaming\UD-Drop.exe
      "C:\Users\Admin\AppData\Roaming\UD-Drop.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll

    Filesize

    2.1MB

    MD5

    b429ae86c5be521bc8ca3b164cec3acb

    SHA1

    387560073ff5a1f2191abc6f75fc34532bbb6dd2

    SHA256

    3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579

    SHA512

    eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1

  • C:\Users\Admin\AppData\Local\Temp\Phantom Ware.deps.json

    Filesize

    2KB

    MD5

    ec527d9989f4c77edc6d310b7479df90

    SHA1

    b5b9ecf1400a9418a887bd4b0eba79c3830b3e7f

    SHA256

    aca9918e509cf4d3e926fd17ffbda23e6d6fe9d90cf2dfd2df8438a7e51dca4b

    SHA512

    8e0318daeeae18e22224e67594a5afa0ac556b17e58b91cbf5be2d614db732177ceba74c74731c9fe25949cc69d0eb711f908b9b808a434945a3aa541a1b78d0

  • C:\Users\Admin\AppData\Local\Temp\Phantom Ware.dll

    Filesize

    21KB

    MD5

    3d493a7df15f464b78063ef251166e75

    SHA1

    c6154f595850f412d5aed8aea2c15b5c43007f91

    SHA256

    f8d466af61ebd7bb99c408b87f68f968e8758a2725a13eb11a8355cca3966553

    SHA512

    f3765220c6ecae34d89c446d447000f44b3760bdd6559322bc845c2fed07b6ecec672a4e728449ca73788b730bde229ece2e64426762a081c1a1f1ba0751149e

  • C:\Users\Admin\AppData\Local\Temp\Phantom Ware.exe

    Filesize

    135KB

    MD5

    cb6d53d6568d8f4953ca2a8b4fe83171

    SHA1

    6b2ff21b333d0052a7ecb22c562fbd15a890595b

    SHA256

    921766a7852fcb4d43af5e488c93fd75c8f9e7d74d09f8f671d17b9e496800c9

    SHA512

    c8060d7b1a76f1203113b22c5bc4b43266bfc0784a44094e145e9d316c00df6b22c22e313ade83ced699f787e1a977ab407ce79187efbd6598d3cf8ca0d2c107

  • C:\Users\Admin\AppData\Local\Temp\Phantom Ware.runtimeconfig.json

    Filesize

    458B

    MD5

    07b9a30265ca4e69c7016a1b6e3ffc27

    SHA1

    3a4af82a2695b1423aedd8b60a5c86793c011b02

    SHA256

    c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782

    SHA512

    efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

  • C:\Users\Admin\AppData\Roaming\UD-Drop.exe

    Filesize

    75KB

    MD5

    a375378e75272307aa57d60daf52a685

    SHA1

    3349d6fc564e63aefca143b0600172b22f758b6f

    SHA256

    8406be2985a8776e6ee84157e3951ab93c329a53bdceb2c8d21ad82081d3f7ca

    SHA512

    b70d32375c556583c9349aa2dfbfe762ea7bbe9f6e0b7c2e3f516c1e3415bbabf2b0102c3802c18dd3bab2d0307c57d64d8be87394554a2e8b8d6b2997dd2ed0

  • memory/3632-42-0x0000000000430000-0x000000000044A000-memory.dmp

    Filesize

    104KB

  • memory/3632-41-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

    Filesize

    10.8MB

  • memory/3632-44-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

    Filesize

    10.8MB

  • memory/3632-46-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

    Filesize

    10.8MB

  • memory/3972-0-0x00007FFD06663000-0x00007FFD06665000-memory.dmp

    Filesize

    8KB

  • memory/3972-6-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

    Filesize

    10.8MB

  • memory/3972-1-0x00000000001D0000-0x0000000000B76000-memory.dmp

    Filesize

    9.6MB

  • memory/3972-45-0x00007FFD06660000-0x00007FFD07121000-memory.dmp

    Filesize

    10.8MB