Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05/11/2024, 03:11
Behavioral task
behavioral1
Sample
c njfrDAJ.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c njfrDAJ.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
c njfrDAJ.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
c njfrDAJ.exe
Resource
win11-20241007-en
General
-
Target
c njfrDAJ.exe
-
Size
140KB
-
MD5
445e516f9ca9d204baa359ee36edc8e0
-
SHA1
f5a3267afbc73c16620bcc3b332fadd8104d60bf
-
SHA256
c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22
-
SHA512
e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810
-
SSDEEP
768:Gmcgc7ptu0Nqf4v6hCuuJf27ZZfFWPG9/06OOwh2SjGbn621sIwEk4w00wM:hc7tu0EgwCuuJfKFv9/06OOw4SC+EA
Malware Config
Extracted
xworm
5.0
147.185.221.22:29307
videos-gsm.gl.at.ply.gg:29307
akkHSUfQR3bLHwnR
-
Install_directory
%Temp%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral3/memory/4364-1-0x0000000000230000-0x0000000000258000-memory.dmp family_xworm behavioral3/files/0x002c000000045106-60.dat family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5000 powershell.exe 1164 powershell.exe 5032 powershell.exe 1644 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation c njfrDAJ.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShibaGTV16.lnk c njfrDAJ.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShibaGTV16.lnk c njfrDAJ.exe -
Executes dropped EXE 3 IoCs
pid Process 880 ShibaGTV16 2092 ShibaGTV16 1520 ShibaGTV16 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShibaGTV16 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShibaGTV16" c njfrDAJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4940 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 5032 powershell.exe 5032 powershell.exe 1644 powershell.exe 1644 powershell.exe 5000 powershell.exe 5000 powershell.exe 1164 powershell.exe 1164 powershell.exe 4364 c njfrDAJ.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4364 c njfrDAJ.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeIncreaseQuotaPrivilege 5032 powershell.exe Token: SeSecurityPrivilege 5032 powershell.exe Token: SeTakeOwnershipPrivilege 5032 powershell.exe Token: SeLoadDriverPrivilege 5032 powershell.exe Token: SeSystemProfilePrivilege 5032 powershell.exe Token: SeSystemtimePrivilege 5032 powershell.exe Token: SeProfSingleProcessPrivilege 5032 powershell.exe Token: SeIncBasePriorityPrivilege 5032 powershell.exe Token: SeCreatePagefilePrivilege 5032 powershell.exe Token: SeBackupPrivilege 5032 powershell.exe Token: SeRestorePrivilege 5032 powershell.exe Token: SeShutdownPrivilege 5032 powershell.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeSystemEnvironmentPrivilege 5032 powershell.exe Token: SeRemoteShutdownPrivilege 5032 powershell.exe Token: SeUndockPrivilege 5032 powershell.exe Token: SeManageVolumePrivilege 5032 powershell.exe Token: 33 5032 powershell.exe Token: 34 5032 powershell.exe Token: 35 5032 powershell.exe Token: 36 5032 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeIncreaseQuotaPrivilege 1644 powershell.exe Token: SeSecurityPrivilege 1644 powershell.exe Token: SeTakeOwnershipPrivilege 1644 powershell.exe Token: SeLoadDriverPrivilege 1644 powershell.exe Token: SeSystemProfilePrivilege 1644 powershell.exe Token: SeSystemtimePrivilege 1644 powershell.exe Token: SeProfSingleProcessPrivilege 1644 powershell.exe Token: SeIncBasePriorityPrivilege 1644 powershell.exe Token: SeCreatePagefilePrivilege 1644 powershell.exe Token: SeBackupPrivilege 1644 powershell.exe Token: SeRestorePrivilege 1644 powershell.exe Token: SeShutdownPrivilege 1644 powershell.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeSystemEnvironmentPrivilege 1644 powershell.exe Token: SeRemoteShutdownPrivilege 1644 powershell.exe Token: SeUndockPrivilege 1644 powershell.exe Token: SeManageVolumePrivilege 1644 powershell.exe Token: 33 1644 powershell.exe Token: 34 1644 powershell.exe Token: 35 1644 powershell.exe Token: 36 1644 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeIncreaseQuotaPrivilege 5000 powershell.exe Token: SeSecurityPrivilege 5000 powershell.exe Token: SeTakeOwnershipPrivilege 5000 powershell.exe Token: SeLoadDriverPrivilege 5000 powershell.exe Token: SeSystemProfilePrivilege 5000 powershell.exe Token: SeSystemtimePrivilege 5000 powershell.exe Token: SeProfSingleProcessPrivilege 5000 powershell.exe Token: SeIncBasePriorityPrivilege 5000 powershell.exe Token: SeCreatePagefilePrivilege 5000 powershell.exe Token: SeBackupPrivilege 5000 powershell.exe Token: SeRestorePrivilege 5000 powershell.exe Token: SeShutdownPrivilege 5000 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeSystemEnvironmentPrivilege 5000 powershell.exe Token: SeRemoteShutdownPrivilege 5000 powershell.exe Token: SeUndockPrivilege 5000 powershell.exe Token: SeManageVolumePrivilege 5000 powershell.exe Token: 33 5000 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4364 c njfrDAJ.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4364 wrote to memory of 5032 4364 c njfrDAJ.exe 85 PID 4364 wrote to memory of 5032 4364 c njfrDAJ.exe 85 PID 4364 wrote to memory of 1644 4364 c njfrDAJ.exe 90 PID 4364 wrote to memory of 1644 4364 c njfrDAJ.exe 90 PID 4364 wrote to memory of 5000 4364 c njfrDAJ.exe 92 PID 4364 wrote to memory of 5000 4364 c njfrDAJ.exe 92 PID 4364 wrote to memory of 1164 4364 c njfrDAJ.exe 94 PID 4364 wrote to memory of 1164 4364 c njfrDAJ.exe 94 PID 4364 wrote to memory of 4940 4364 c njfrDAJ.exe 97 PID 4364 wrote to memory of 4940 4364 c njfrDAJ.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe"C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c njfrDAJ.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ShibaGTV16'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ShibaGTV16'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1164
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ShibaGTV16" /tr "C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4940
-
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"1⤵
- Executes dropped EXE
PID:880
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"1⤵
- Executes dropped EXE
PID:2092
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"1⤵
- Executes dropped EXE
PID:1520
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5c67441dfa09f61bca500bb43407c56b8
SHA15a56cf7cbeb48c109e2128c31b681fac3959157b
SHA25663082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33
SHA512325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8
-
Filesize
1KB
MD554734eb92ecd55261ca51bcc4e61aaa1
SHA15727e74d66bef0525a0e3c22de3e20210b98848c
SHA256010859ddbcf7fc284ca21694f2377f5a5e9cd278085eaea9c06bf985b711d953
SHA5127bf9d603a28bbd051ce5d8fd0b39ecf094ee2a0e2cfcc7cc806364de4807781f42e9b8bef1106d2840f8b363684b034273ad8bd7a04f5dcf3b00d4de825dc0fd
-
Filesize
1KB
MD597c2358487296b93078d9bb570e6cd70
SHA1d3f2cdfc9dc76faf4d7c058ed2e4ef3c57350d36
SHA256ced4c1fda75605496381f9b7db7f4ad52cba3b932d4cc0f1f8a5c4c3c57c3896
SHA5125ae1e63bb8c92ddf6272387259c269bb705839bea378dff2a27ebd6d45f66edcdcfe4094202578d9f2339a939082451dd1fab29af5348673d13ddd312aa35ac1
-
Filesize
140KB
MD5445e516f9ca9d204baa359ee36edc8e0
SHA1f5a3267afbc73c16620bcc3b332fadd8104d60bf
SHA256c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22
SHA512e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82