Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
05/11/2024, 03:11
General
-
Target
c njfrDAJ.exe
-
Size
140KB
-
MD5
445e516f9ca9d204baa359ee36edc8e0
-
SHA1
f5a3267afbc73c16620bcc3b332fadd8104d60bf
-
SHA256
c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22
-
SHA512
e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810
-
SSDEEP
768:Gmcgc7ptu0Nqf4v6hCuuJf27ZZfFWPG9/06OOwh2SjGbn621sIwEk4w00wM:hc7tu0EgwCuuJfKFv9/06OOw4SC+EA
Malware Config
Extracted
xworm
5.0
147.185.221.22:29307
videos-gsm.gl.at.ply.gg:29307
akkHSUfQR3bLHwnR
-
Install_directory
%Temp%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe"C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c njfrDAJ.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ShibaGTV16'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ShibaGTV16'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ShibaGTV16" /tr "C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {54B5EABF-F716-4D36-9FE5-0F6D840B897C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTV16C:\Users\Admin\AppData\Local\Temp\ShibaGTV162⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTV16C:\Users\Admin\AppData\Local\Temp\ShibaGTV162⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTV16C:\Users\Admin\AppData\Local\Temp\ShibaGTV162⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d0808d2b8d5d5dbaace497c23dfbeffa
SHA13757221dc8f33ee09e2c9b575bf1b67bd5e7b9fe
SHA256400dbb98378e28ffe3dbfbcb8b6cba43bec10cd8b5e700cfbefd9f84af53f2c4
SHA512ebef077b1c73636fc5dbf299fc00ff96f35a2c63068cae7578d511dd8897d2a07bc821db26a1c996dbf29d3a9666de02fad36902032ea1c7fc49fa5e14a3bab5
-
Filesize
342B
MD5c1200889a7e4f5ad545e37560f37fbe1
SHA1600d2275b5724e12edea7b61e258619acfde6f66
SHA2565d698b2d8561b772f82ea096db27b1ff607ce0bfd52bab48dd64b706b2b02e1a
SHA512777422cf3aba11fe14a03f6f0c435584161a0dd78788aacc228764b661b095fb9248188963f32f697ebeffd65f90d0fd5755b1d375990563718d56d36d033ada
-
Filesize
342B
MD5d1743c47c7f1de13cc5719f774f4361c
SHA19441bb2ebbcd0b2ca1c0a0258f770546e6a92258
SHA25617bf9b546a34fc196dd2854dfd20f07253763509032ec492d9b19d70306235a5
SHA512656648b8555231d65ee305c3747496e5160c25c33728bf9e4614de333538ea33ecf391e2603736bb34063a34e98fca35dadd1f5e9c38e2cfc9425724afd353c1
-
Filesize
342B
MD5c61ccf3527f87c8ab65bd3ccb9f080fe
SHA19bec6191c2deeb3c118678abb2336cd0657c42fd
SHA2562bf3bb5339e70d5e8560afa6b8294fba866c7631c4109c6beb888b44f81024e0
SHA512749814b5316a10749297687d9158fc489016d4684341039d3f83b7651fc2e66ecf8172bab17915b88a1f0c87534d17c1f8ef7db52efb7d2d10a7c5164c2b06f2
-
Filesize
342B
MD5acee664006fd0461cd392ee2eabeaa86
SHA1e52f660e281ed6c493451d97aa8408981bc43d4c
SHA2567f8dc1fa50b8764a8a1e302f2ce27923d50fd599ea04f21940b9ee6323cd2ddf
SHA512ddbcb2ecb715cc657cf2e6e3ef74761d9d1176b10170202153e358b2f3073422effe4a42a7f9e4f018ab455b82b7d90295b139f862014a81dfc3a020fda6c253
-
Filesize
342B
MD53dc9d186b9c49a9bc7920d7818ed2f89
SHA12c2cc57d37749f3485ff5cbb4ac4ae57bbd3b0c2
SHA256d79147b19cc84daf1dca85ae4c34bc79c721a56ef6770ff251342c67345dd36e
SHA51254793b42bd6979f6f9c0912ce6a483890fd1067548d9607e8a669e29aee502eeb098fb5a693250e37cb65bb0deb479e72a4adb8c5dad8f50e2721ca9362e0989
-
Filesize
342B
MD54013a65468ed00a8a0344ed692df5c47
SHA1459e295c3af79fe9134e40e636e0905a861368e2
SHA2562df31bfca3a3a01f1ec1bdcd35ccb85a2f25823bb58a7201e30e73a116adf558
SHA512c4e0dbd60b8cd5f1f554dc4c5bf8752fdaa396d574219ecd3e80fbf046b398d5b81e64936b2e3d272ee32cfa879a6ee95b449a5fe01720cf1ee5f27abe351651
-
Filesize
342B
MD53dc8bd728fe3f539c3ca7232250f15f5
SHA19f6674a655359dd30288d5282675d31ddd2f7f10
SHA25670fe74751a23bfe0429543877e518b5c922ffbfc72b4c0afea4a5c00bdf5c9e6
SHA5125563f4fee1885bb983f682fd51664c2930e55bd26f153f6ed76aaf9cc2bb411a5d4a46de65c5acfbd091201668a83ed1f1ac95b1ac6ab2d1ab4e5fd5466e1066
-
Filesize
342B
MD505d2b6d77867176980736031cb05dbdc
SHA1332a176335b9c91072f8e827496026da5441372c
SHA2567c810ebb5ce72f97d2a39d4b3d89ac89fd870677b3b473689811dae505d7347f
SHA512a7825a0579fd79e7ebccacf2dbe4db085d78027b514e17e533766a060fac22796f651dbd31139572f8cb5fc5c7543f1c7042f3c789c6728b8038bf1bee1d2d51
-
Filesize
342B
MD51c4cc3df8adc5f30e7c456a33cc6e6a6
SHA16a6f2b8673ffff2f0a6ba404b03788f4c87131aa
SHA256ca870a4280f0d31dd49708da1fa8f5536a987cf80057d7154dbed9a26de4742a
SHA51209146ea3692f1a051a18da272ff9636d7ce239ab242d546b9eecb13c73f69566d547ec8324ebe737d42d54c79b81e55056cf95f9bf1af8e6bc8d13cd8d33e0cc
-
Filesize
342B
MD5ce7e21d2fe40453a2b553a6cfa7980a2
SHA15eb7f5d8ee1d904763ddc7d628166aa7f010d9fc
SHA2569e0859b15b0a02aee4307564722fe067ad950128921bd35ea379330f1501fcf3
SHA51266de753e5a91e57d612b9f476a0d85acea738fbca913d6103b2dbb651d7cde2425bd28c72cc0b3fd89f0b131a15023d6532700d27673fe254039ad70dfbc5034
-
Filesize
342B
MD5f656ad57a177c864673dbc3d5d836b58
SHA107b84e558ef9058b62c2110711d95259de6482da
SHA2566aefed12bd2dc8f58c4dac31972b536e7ff7458dd11421d22108bbfc1cb350a1
SHA512f35f59d34519ecb4c42c08da6e7b07a0f28b6f4296566b66c866b71275543f46719cf31f886fba6b86f13b8c05115d318f88497cccd8cc4b153007421b982acf
-
Filesize
342B
MD521f66ee1a02895822dcd9386d6c5ec9e
SHA1577aed7224c2dd21221fe4a3cb32a8a76b810a29
SHA256b6043a5f49e397862ba3eec53238888dd9a07b62d5a1c69af19482305ec94a6f
SHA5120b06dfdddb3acf8374905faeefed1cdf85a854df808e7b81c4f553621e1163a58f56b51c2def9aac63303adaca8c6bf5c52efbd8e5dc9470e4b2b00dee43b81d
-
Filesize
342B
MD5033134841e1e02e0ed4a8e0470bf9693
SHA18f691105b1b65b1a06e2b047bddb5e64298ac0e3
SHA256c24468a1fd9291b2ce158e3f96d4f2542eaf74bdccd70a2a8e65bad83dcc8391
SHA512436a613b989bcfded9b67edde86eabd4661c7e2d47899a8eefa0efabc4937af565430dfd67e9013831e88d98bffa281e9d4a463b0faa4f0133b1bb89e423777b
-
Filesize
342B
MD52a0699863ab5f7154a5918c1116afe3e
SHA15fffbef0bce43053a89e6ae14c6da92186e0c162
SHA2569bb7e940ba02e61978488a94b9589fd9fe42606d0c42a975848fc10f52238b84
SHA5125cd0ae0188032ad09869a1481117a0dbb563085d963ec50f44f028be10cf55a2959439f7754d8811f89b324455120f029e54c53d19592d6f9dc152b4244d37cb
-
Filesize
342B
MD59a590a88c342f94935474df13a5557ad
SHA19d56b189b6069a5ca72754bb3d1a9e7d36df2b04
SHA2569bdc7e32e8b0d0d414ef9df59f9e4914c21c669f59df27e552164d27ed0e9b41
SHA5128783df40af444c6db6ff33250a91d43d7a41fc68f9752bc546383496f962db172d8444a1b184aae2e0ad2670e3364781ee867ccb93ce4a55d042250ed6c9bccc
-
Filesize
342B
MD52fb8d5a755e1f59246c4dcc768b190c5
SHA1cc54a7aec52aaf1f0f9de09ee9b972c0118de2f3
SHA2563b9ea5ce9699d6e5592d99d40ea1d7943139d99ddf210687e74b0a632065138a
SHA512f1c5dd11bab1a357d5bb8a492b0eb9c333b6527059e9554b2d9efca7cb2ae44c8d0045915934f81f57daeba1b9dea8e036401bed89cb1d5e8a5fa78a65b952d1
-
Filesize
342B
MD56b3748e0b734ed3f3846fbd0437ef5c0
SHA144d3432f56e251e758f97a9a07c22ff1ef08f613
SHA2569f93864303a3447428c549f32e3c542463ac43104ffb3d6534789a5081444aaa
SHA51264d7337f0bd780a121375e776ff80ee22e62397b91848cf92aaffb7bbd3c1799a271fec3e5e84f76e77115e4833a250730ede8e657110054fd0243fbd74a9111
-
Filesize
342B
MD5dfe6ad1f25ae6637a851cbc0c4b0d473
SHA12af4138dfbce3554192f846a435bc268bccc366f
SHA256cfcb03c747fba4f1a2b33bf3791623db4a84e6ca659fcfd1b4a67fb02ebe42dc
SHA51247e7c85bae9ac5c1dcaa55c50184cdf416f22dab2a4e2e6e98b1023f297fc7e831d4f7bdf860a99caaf07fc0b5f1b6ee824e118a599e0895d40e1e3ca2908b67
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
140KB
MD5445e516f9ca9d204baa359ee36edc8e0
SHA1f5a3267afbc73c16620bcc3b332fadd8104d60bf
SHA256c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22
SHA512e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7KB
MD529d41a25d53f5ee8ad302e8caf0036f3
SHA1ba21ae755ce1d5420c3f821c7f1923dd2081d698
SHA2567ab9eed5c4c303b3d86207aaf192263374cbdd7efb1a4a5e96f3f8287d51411b
SHA512ef4ebe7b58ca2af27d70039523b13085c2275e54a7940a73e6e03babed9d0eaa25616de09c175dea84eccac8e665c787738733740cdf39478c193c00cd3299cc
-
Filesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
Filesize
16KB
MD5fe5071307bbad918bf894303c927a1d2
SHA198d4f2e2bd2fa5ecff77e04ba12b040849b97e07
SHA2569611930f0db7936356489ff435229d7dafb5b64541f93a2c1e5e068bf32ceb2b
SHA512f6b39bc3bae326f68f35065447ad19af21e6d19810d389f0b608fa5a7dfd5710f19aca13f826e96197a8f65c79fe989d8ed41e059d3eb78255947d3d519ee56b
-
Filesize
16B
MD5d5c75a7d2cf4360668a33a441270d729
SHA174ac64a322c850641e7fb786ab8ac1f67ce08c88
SHA256433514db18c955c65e66330a2a4488b7e876d78488c1f59cecd8fc35ce6abb49
SHA51201e3628ec48fe004698827ee4a695213269d163e9f72f7a44b7bd0db0d79f428ada7c7c840d6b5a72058a8466d12ceed20a21b57939e1d470eac8474c1940bd7
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB