Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05/11/2024, 03:11

General

  • Target

    c njfrDAJ.exe

  • Size

    140KB

  • MD5

    445e516f9ca9d204baa359ee36edc8e0

  • SHA1

    f5a3267afbc73c16620bcc3b332fadd8104d60bf

  • SHA256

    c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22

  • SHA512

    e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810

  • SSDEEP

    768:Gmcgc7ptu0Nqf4v6hCuuJf27ZZfFWPG9/06OOwh2SjGbn621sIwEk4w00wM:hc7tu0EgwCuuJfKFv9/06OOw4SC+EA

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.22:29307

videos-gsm.gl.at.ply.gg:29307

Mutex

akkHSUfQR3bLHwnR

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe
    "C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c njfrDAJ.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ShibaGTV16'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ShibaGTV16'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1164
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ShibaGTV16" /tr "C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4940
  • C:\Users\Admin\AppData\Local\Temp\ShibaGTV16
    "C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"
    1⤵
    • Executes dropped EXE
    PID:880
  • C:\Users\Admin\AppData\Local\Temp\ShibaGTV16
    "C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"
    1⤵
    • Executes dropped EXE
    PID:2092
  • C:\Users\Admin\AppData\Local\Temp\ShibaGTV16
    "C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"
    1⤵
    • Executes dropped EXE
    PID:1520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShibaGTV16.log

    Filesize

    654B

    MD5

    11c6e74f0561678d2cf7fc075a6cc00c

    SHA1

    535ee79ba978554abcb98c566235805e7ea18490

    SHA256

    d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

    SHA512

    32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    c67441dfa09f61bca500bb43407c56b8

    SHA1

    5a56cf7cbeb48c109e2128c31b681fac3959157b

    SHA256

    63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

    SHA512

    325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    54734eb92ecd55261ca51bcc4e61aaa1

    SHA1

    5727e74d66bef0525a0e3c22de3e20210b98848c

    SHA256

    010859ddbcf7fc284ca21694f2377f5a5e9cd278085eaea9c06bf985b711d953

    SHA512

    7bf9d603a28bbd051ce5d8fd0b39ecf094ee2a0e2cfcc7cc806364de4807781f42e9b8bef1106d2840f8b363684b034273ad8bd7a04f5dcf3b00d4de825dc0fd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    97c2358487296b93078d9bb570e6cd70

    SHA1

    d3f2cdfc9dc76faf4d7c058ed2e4ef3c57350d36

    SHA256

    ced4c1fda75605496381f9b7db7f4ad52cba3b932d4cc0f1f8a5c4c3c57c3896

    SHA512

    5ae1e63bb8c92ddf6272387259c269bb705839bea378dff2a27ebd6d45f66edcdcfe4094202578d9f2339a939082451dd1fab29af5348673d13ddd312aa35ac1

  • C:\Users\Admin\AppData\Local\Temp\ShibaGTV16

    Filesize

    140KB

    MD5

    445e516f9ca9d204baa359ee36edc8e0

    SHA1

    f5a3267afbc73c16620bcc3b332fadd8104d60bf

    SHA256

    c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22

    SHA512

    e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ke055h23.fjt.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/4364-1-0x0000000000230000-0x0000000000258000-memory.dmp

    Filesize

    160KB

  • memory/4364-0-0x00007FFCAB873000-0x00007FFCAB875000-memory.dmp

    Filesize

    8KB

  • memory/4364-59-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/4364-58-0x00007FFCAB873000-0x00007FFCAB875000-memory.dmp

    Filesize

    8KB

  • memory/4364-57-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/5032-12-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/5032-19-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/5032-16-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/5032-15-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/5032-14-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/5032-13-0x00007FFCAB870000-0x00007FFCAC332000-memory.dmp

    Filesize

    10.8MB

  • memory/5032-11-0x0000024B7D230000-0x0000024B7D252000-memory.dmp

    Filesize

    136KB