Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

mygame.exe

windows10-2004-x64

10

mygame.exe

windows7-x64

10

mygame.exe

windows10-2004-x64

10

mygame.exe

windows10-ltsc 2021-x64

10

mygame.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/11/2024, 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mygame.exe

  • Size

    137KB

  • MD5

    1a925fce50787a5028b73dd32e0c7dce

  • SHA1

    7205d5c3d7efbc5805eb0b343a1bc83903e7589c

  • SHA256

    00956e3a55867b348d29da5f04cf6fb51e85872389ce6dc5f4015a958c575fb3

  • SHA512

    ceec3fa381bbcb32fb520b876fac67defc2712fcf7dcbf4a69d50a227c8f81f1cbb3aac03fc0f2ac007105b9b378c5a1c405ec2b326bf284795c0ae0e85d93a8

  • SSDEEP

    3072:6fjh7Fv9fjOwiBz65/M6If+3Js+3JFkKeTno:8hJv9AxBt25

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.23:48450

Mutex

2YsFPOHVMLfmF9px

Attributes
  • Install_directory

    %AppData%

  • install_file

    Update.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\mygame.exe
    "C:\Users\Admin\AppData\Local\Temp\mygame.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mygame.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mygame.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Roaming\Update.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:224
  • C:\Users\Admin\AppData\Roaming\Update.exe
    C:\Users\Admin\AppData\Roaming\Update.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4088
  • C:\Users\Admin\AppData\Roaming\Update.exe
    C:\Users\Admin\AppData\Roaming\Update.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log
    Filesize

    654B

    MD5

    2cbbb74b7da1f720b48ed31085cbd5b8

    SHA1

    79caa9a3ea8abe1b9c4326c3633da64a5f724964

    SHA256

    e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

    SHA512

    ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    437395ef86850fbff98c12dff89eb621

    SHA1

    9cec41e230fa9839de1e5c42b7dbc8b31df0d69c

    SHA256

    9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6

    SHA512

    bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    25fdee90fce7b0b96dc2ee97ec66834a

    SHA1

    c32a6f1e3b1033bec69a5a41de255c98944dcdc9

    SHA256

    c433a9b0345ba06be0b2acc2fcb9d689f81837ada86b6fee2fb2b4b838d1ea6c

    SHA512

    b76230cb1cee4dc3e434bc49b239525f4ea51f449b0587b828a8888c6ff54d26c5cd16219934dbe44d4f84057d8e77bbc458d71e55b10d79ef8d0eda74e7399d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    f47ee9835b7806c44999fcf9f345c0aa

    SHA1

    03e7f6444ef22eaa9f2dd14f6b89d33eb9010ce2

    SHA256

    23a225663c76a644db77f72e289bbf18d3da0b307f772e6d9f563080e7afeb33

    SHA512

    04b327e0acf76a5b36af4457b28105d2a9d644871eb4588177d9a620f1e450e233e2869998283b18151ff490e6939715e13bd793c6a1021b79bc3f67bbe326c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    cef328ddb1ee8916e7a658919323edd8

    SHA1

    a676234d426917535e174f85eabe4ef8b88256a5

    SHA256

    a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

    SHA512

    747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ay3ok0u3.ois.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Update.exe
    Filesize

    137KB

    MD5

    1a925fce50787a5028b73dd32e0c7dce

    SHA1

    7205d5c3d7efbc5805eb0b343a1bc83903e7589c

    SHA256

    00956e3a55867b348d29da5f04cf6fb51e85872389ce6dc5f4015a958c575fb3

    SHA512

    ceec3fa381bbcb32fb520b876fac67defc2712fcf7dcbf4a69d50a227c8f81f1cbb3aac03fc0f2ac007105b9b378c5a1c405ec2b326bf284795c0ae0e85d93a8

    Download Submit

  • memory/2840-11-0x00007FF994250000-0x00007FF994D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2840-15-0x00007FF994250000-0x00007FF994D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2840-18-0x00007FF994250000-0x00007FF994D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2840-14-0x00007FF994250000-0x00007FF994D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2840-13-0x00007FF994250000-0x00007FF994D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2840-12-0x00007FF994250000-0x00007FF994D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2840-10-0x0000012145CB0000-0x0000012145CD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5420-0-0x00007FF994253000-0x00007FF994255000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5420-54-0x00007FF994250000-0x00007FF994D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5420-55-0x00007FF994253000-0x00007FF994255000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5420-56-0x00007FF994250000-0x00007FF994D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5420-1-0x0000000000E30000-0x0000000000E58000-memory.dmp

    Filesize

    160KB

    Download