Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Danger-Mul...ain.py

windows7-x64

3

Danger-Mul...ain.py

windows10-2004-x64

3

Danger-Mul...11.exe

windows7-x64

7

Danger-Mul...11.exe

windows10-2004-x64

8

Danger-Mul...px.exe

windows7-x64

10

Danger-Mul...px.exe

windows10-2004-x64

10

Danger-Mul...rt.bat

windows7-x64

10

Danger-Mul...rt.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Danger-MultiTool-main/start.bat

  • Size

    121B

  • MD5

    c7bda38ca7b6acff98cfce8e087ece33

  • SHA1

    d2d7b7c6757870ef3a7ff3a40678e74176a4676e

  • SHA256

    8caedbf5a91ed11823eb4d35ac84720e692246a17db1dd70e42d1565540d5842

  • SHA512

    7732f4fb081f71bb0a8545a033ddfc35ec6901aec49735926718466d7155f623c482a83871fc3cb9c18fae17c9ce3ee008ea4effb74cce33b7034b8ad0ad0b7a

Score
10/10
xwormdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

45.83.246.140:30120

Attributes
  • Install_directory

    %AppData%

  • install_file

    runtime.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Danger-MultiTool-main\start.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\system32\mode.com
      mode con: cols=100 lines=30
      2⤵
        PID:2812
      • C:\Users\Admin\AppData\Local\Temp\Danger-MultiTool-main\src\utils\upx.exe
        src/utils/upx.exe
        2⤵
        • Drops startup file
        • Adds Run key to start application
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2820
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Danger-MultiTool-main\src\main.py
        2⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Danger-MultiTool-main\src\main.py"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
      Filesize

      3KB

      MD5

      7143b0dd74c59fe37f177f60a453fb93

      SHA1

      1ccdf2b40af1ad65961f48ee5c8208d1a7c32b54

      SHA256

      8a1e55492be6829bbfb6f8a719ea2668c9f2c41d6ffd2b474de147b8f774fe5c

      SHA512

      4c2eb7244a823090487a975a4c056785a91086d8cf875d47c5681ba9aabc1c084874e850b7598ef28d0dbd5e2922572df4acc8857be47e024e2d371ec698f70f

      Download Submit

    • memory/2820-21-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2820-22-0x0000000000D70000-0x0000000000D88000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2820-27-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

      Filesize

      4KB

      Download