Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 08:27
Behavioral task
behavioral1
Sample
4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe
Resource
win10v2004-20241007-en
General
-
Target
4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe
-
Size
35KB
-
MD5
144f398d59c44e3c5a5ed28b8ba1918a
-
SHA1
9adc52e3f04aa4f92cb288a02968526806b23ac8
-
SHA256
4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7
-
SHA512
8f883b6235a956200396553a6338d9619fed8811d93993578b38175df050502840199894065d5b6df770b364a99ce6139dbe9c938aa91bc69470eea57b26fa00
-
SSDEEP
768:jDMfF7zLKYs2Byj5MuddqLi9Fk9wFO/hY/22N:jkF7HKYs/1hd9Fk9wFO/Ku2N
Malware Config
Extracted
xworm
5.0
nomorelife1.ddns.net:999
RQyA6qFjTisp9KB8
-
Install_directory
%AppData%
-
install_file
System.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/memory/2492-1-0x0000000000AE0000-0x0000000000AF0000-memory.dmp family_xworm behavioral1/files/0x000c000000012262-10.dat family_xworm behavioral1/memory/2424-12-0x00000000009D0000-0x00000000009E0000-memory.dmp family_xworm behavioral1/memory/1964-15-0x0000000000EF0000-0x0000000000F00000-memory.dmp family_xworm -
Xworm family
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk 4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk 4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe -
Executes dropped EXE 2 IoCs
pid Process 2424 System.exe 1964 System.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Roaming\\System.exe" 4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2180 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2492 4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe Token: SeDebugPrivilege 2424 System.exe Token: SeDebugPrivilege 1964 System.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2180 2492 4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe 30 PID 2492 wrote to memory of 2180 2492 4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe 30 PID 2492 wrote to memory of 2180 2492 4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe 30 PID 2940 wrote to memory of 2424 2940 taskeng.exe 33 PID 2940 wrote to memory of 2424 2940 taskeng.exe 33 PID 2940 wrote to memory of 2424 2940 taskeng.exe 33 PID 2940 wrote to memory of 1964 2940 taskeng.exe 34 PID 2940 wrote to memory of 1964 2940 taskeng.exe 34 PID 2940 wrote to memory of 1964 2940 taskeng.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe"C:\Users\Admin\AppData\Local\Temp\4027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Roaming\System.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2180
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8BA9DD77-2D1C-4A6C-B369-95E6A34824F4} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Roaming\System.exeC:\Users\Admin\AppData\Roaming\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Users\Admin\AppData\Roaming\System.exeC:\Users\Admin\AppData\Roaming\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5144f398d59c44e3c5a5ed28b8ba1918a
SHA19adc52e3f04aa4f92cb288a02968526806b23ac8
SHA2564027dbb9777d42ebd7737bd906747b091139debe7f2f11b094ed1c13758971e7
SHA5128f883b6235a956200396553a6338d9619fed8811d93993578b38175df050502840199894065d5b6df770b364a99ce6139dbe9c938aa91bc69470eea57b26fa00