Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/11/2024, 07:25
Behavioral task
behavioral1
Sample
0x0007000000016d42-20.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0x0007000000016d42-20.exe
Resource
win10v2004-20241007-en
General
-
Target
0x0007000000016d42-20.exe
-
Size
75KB
-
MD5
8d6e86e6e799c75bd5123534bdbf411b
-
SHA1
9fc526e97077ed2a5e78371fdab5ab7ecf789368
-
SHA256
7892c9f14967696e15b99b3eac66d65643357c9a4315f5e8210c8437c6617888
-
SHA512
8cd6e706c3f36d7cb1d6eed3717fd3e96863b6fcf4ee3425f7b08823b8dc364a1de215b578310a3d1fddd98f9eb648ddeafd85d8a2feed399d46fba7dba09265
-
SSDEEP
1536:2Z6tgBI11qoEgGBfCDYsN+bT0IrgLSUtmf6/rhtOs4eJ9SYUh:2Z1I11qoGBgYA+bgIEOe9htOs4eJjO
Malware Config
Extracted
xworm
45.145.41.178:1111
-
Install_directory
%AppData%
-
install_file
Windows Defender Notification.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2252-1-0x00000000008A0000-0x00000000008BA000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2788 powershell.exe 2840 powershell.exe 2912 powershell.exe 2020 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk 0x0007000000016d42-20.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Notification.lnk 0x0007000000016d42-20.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Notification = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender Notification.exe" 0x0007000000016d42-20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2728 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2020 powershell.exe 2788 powershell.exe 2840 powershell.exe 2912 powershell.exe 2252 0x0007000000016d42-20.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2252 0x0007000000016d42-20.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 2252 0x0007000000016d42-20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2252 0x0007000000016d42-20.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2020 2252 0x0007000000016d42-20.exe 30 PID 2252 wrote to memory of 2020 2252 0x0007000000016d42-20.exe 30 PID 2252 wrote to memory of 2020 2252 0x0007000000016d42-20.exe 30 PID 2252 wrote to memory of 2788 2252 0x0007000000016d42-20.exe 32 PID 2252 wrote to memory of 2788 2252 0x0007000000016d42-20.exe 32 PID 2252 wrote to memory of 2788 2252 0x0007000000016d42-20.exe 32 PID 2252 wrote to memory of 2840 2252 0x0007000000016d42-20.exe 34 PID 2252 wrote to memory of 2840 2252 0x0007000000016d42-20.exe 34 PID 2252 wrote to memory of 2840 2252 0x0007000000016d42-20.exe 34 PID 2252 wrote to memory of 2912 2252 0x0007000000016d42-20.exe 37 PID 2252 wrote to memory of 2912 2252 0x0007000000016d42-20.exe 37 PID 2252 wrote to memory of 2912 2252 0x0007000000016d42-20.exe 37 PID 2252 wrote to memory of 2728 2252 0x0007000000016d42-20.exe 39 PID 2252 wrote to memory of 2728 2252 0x0007000000016d42-20.exe 39 PID 2252 wrote to memory of 2728 2252 0x0007000000016d42-20.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0007000000016d42-20.exe"C:\Users\Admin\AppData\Local\Temp\0x0007000000016d42-20.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0x0007000000016d42-20.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0x0007000000016d42-20.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Notification.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Notification.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9F42DE84-F931-4BF7-85C5-B406A9B0063F} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵PID:2920
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53180393eb01d4c936d34f48d50c0fcf3
SHA191767ac0c2821eda3c6d6275f01289ca03dc0418
SHA2567e988bc9a81fa7f0677290d7cf60b2e5cf5c9caedd49b7731c5cf76bc0b99912
SHA5129822c201abea2843ff187471a84dd63434427c2c24c49deb7ab072440ccb29097c879ab3bdf34ada976d750595eb11d20d651c292e45d14f30b4768138a8d35b