Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2024, 07:25

General

  • Target

    0x0007000000016d42-20.exe

  • Size

    75KB

  • MD5

    8d6e86e6e799c75bd5123534bdbf411b

  • SHA1

    9fc526e97077ed2a5e78371fdab5ab7ecf789368

  • SHA256

    7892c9f14967696e15b99b3eac66d65643357c9a4315f5e8210c8437c6617888

  • SHA512

    8cd6e706c3f36d7cb1d6eed3717fd3e96863b6fcf4ee3425f7b08823b8dc364a1de215b578310a3d1fddd98f9eb648ddeafd85d8a2feed399d46fba7dba09265

  • SSDEEP

    1536:2Z6tgBI11qoEgGBfCDYsN+bT0IrgLSUtmf6/rhtOs4eJ9SYUh:2Z1I11qoGBgYA+bgIEOe9htOs4eJjO

Malware Config

Extracted

Family

xworm

C2

45.145.41.178:1111

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Defender Notification.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x0007000000016d42-20.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0007000000016d42-20.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0x0007000000016d42-20.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0x0007000000016d42-20.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Defender Notification.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender Notification.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Notification" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender Notification.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2728
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9F42DE84-F931-4BF7-85C5-B406A9B0063F} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
      PID:2920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      3180393eb01d4c936d34f48d50c0fcf3

      SHA1

      91767ac0c2821eda3c6d6275f01289ca03dc0418

      SHA256

      7e988bc9a81fa7f0677290d7cf60b2e5cf5c9caedd49b7731c5cf76bc0b99912

      SHA512

      9822c201abea2843ff187471a84dd63434427c2c24c49deb7ab072440ccb29097c879ab3bdf34ada976d750595eb11d20d651c292e45d14f30b4768138a8d35b

    • memory/2020-6-0x0000000002CD0000-0x0000000002D50000-memory.dmp

      Filesize

      512KB

    • memory/2020-7-0x000000001B5B0000-0x000000001B892000-memory.dmp

      Filesize

      2.9MB

    • memory/2020-8-0x0000000002240000-0x0000000002248000-memory.dmp

      Filesize

      32KB

    • memory/2252-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

      Filesize

      4KB

    • memory/2252-1-0x00000000008A0000-0x00000000008BA000-memory.dmp

      Filesize

      104KB

    • memory/2252-30-0x000000001AB90000-0x000000001AC10000-memory.dmp

      Filesize

      512KB

    • memory/2252-31-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

      Filesize

      4KB

    • memory/2252-32-0x000000001AB90000-0x000000001AC10000-memory.dmp

      Filesize

      512KB

    • memory/2788-14-0x000000001B620000-0x000000001B902000-memory.dmp

      Filesize

      2.9MB

    • memory/2788-15-0x0000000002860000-0x0000000002868000-memory.dmp

      Filesize

      32KB