Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/11/2024, 03:11
Behavioral task
behavioral1
Sample
c njfrDAJ.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c njfrDAJ.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
c njfrDAJ.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
c njfrDAJ.exe
Resource
win11-20241007-en
Errors
General
-
Target
c njfrDAJ.exe
-
Size
140KB
-
MD5
445e516f9ca9d204baa359ee36edc8e0
-
SHA1
f5a3267afbc73c16620bcc3b332fadd8104d60bf
-
SHA256
c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22
-
SHA512
e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810
-
SSDEEP
768:Gmcgc7ptu0Nqf4v6hCuuJf27ZZfFWPG9/06OOwh2SjGbn621sIwEk4w00wM:hc7tu0EgwCuuJfKFv9/06OOw4SC+EA
Malware Config
Extracted
xworm
5.0
147.185.221.22:29307
videos-gsm.gl.at.ply.gg:29307
akkHSUfQR3bLHwnR
-
Install_directory
%Temp%
-
install_file
USB.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral4/memory/5420-63-0x000000001B890000-0x000000001B89E000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral4/memory/5420-1-0x0000000000670000-0x0000000000698000-memory.dmp family_xworm behavioral4/files/0x004d00000002aaa3-56.dat family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2444 powershell.exe 4900 powershell.exe 5192 powershell.exe 1168 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShibaGTV16.lnk c njfrDAJ.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShibaGTV16.lnk c njfrDAJ.exe -
Executes dropped EXE 2 IoCs
pid Process 2300 ShibaGTV16 3068 ShibaGTV16 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShibaGTV16 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ShibaGTV16" c njfrDAJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 224 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2444 powershell.exe 2444 powershell.exe 4900 powershell.exe 4900 powershell.exe 5192 powershell.exe 5192 powershell.exe 1168 powershell.exe 1168 powershell.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe 5420 c njfrDAJ.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 5420 c njfrDAJ.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 5192 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 5420 c njfrDAJ.exe Token: SeDebugPrivilege 2300 ShibaGTV16 Token: SeDebugPrivilege 3068 ShibaGTV16 Token: SeShutdownPrivilege 5420 c njfrDAJ.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5420 c njfrDAJ.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5420 wrote to memory of 2444 5420 c njfrDAJ.exe 77 PID 5420 wrote to memory of 2444 5420 c njfrDAJ.exe 77 PID 5420 wrote to memory of 4900 5420 c njfrDAJ.exe 79 PID 5420 wrote to memory of 4900 5420 c njfrDAJ.exe 79 PID 5420 wrote to memory of 5192 5420 c njfrDAJ.exe 81 PID 5420 wrote to memory of 5192 5420 c njfrDAJ.exe 81 PID 5420 wrote to memory of 1168 5420 c njfrDAJ.exe 83 PID 5420 wrote to memory of 1168 5420 c njfrDAJ.exe 83 PID 5420 wrote to memory of 224 5420 c njfrDAJ.exe 85 PID 5420 wrote to memory of 224 5420 c njfrDAJ.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe"C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c njfrDAJ.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c njfrDAJ.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ShibaGTV16'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ShibaGTV16'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ShibaGTV16" /tr "C:\Users\Admin\AppData\Local\Temp\ShibaGTV16"2⤵
- Scheduled Task/Job: Scheduled Task
PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTV16C:\Users\Admin\AppData\Local\Temp\ShibaGTV161⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTV16C:\Users\Admin\AppData\Local\Temp\ShibaGTV161⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD5781da0576417bf414dc558e5a315e2be
SHA1215451c1e370be595f1c389f587efeaa93108b4c
SHA25641a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA51224e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
140KB
MD5445e516f9ca9d204baa359ee36edc8e0
SHA1f5a3267afbc73c16620bcc3b332fadd8104d60bf
SHA256c96a0fddccd367dbc5422cd5e2036a3f987eccd1cf62a00f5a7b243a74ebcf22
SHA512e315de1fe895123950d88d7e4e9f0f57b3317abf3ebd09f8aa2916f105529b6f9b6ea834c8a318b9a7c565171c08580d5f727c3d043cc797f80f74f5ff141810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82