Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 01:00 UTC

General

  • Target

    295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe

  • Size

    564KB

  • MD5

    066ea1397f09fed558600e6c4bc7c1e4

  • SHA1

    059f84529641a772f564f0afa890fd4260ec3a06

  • SHA256

    295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528

  • SHA512

    d9a494a860ab21f59b405c48343a805f792ed14a9b915decdad3295779f7fb31ab84812a71c99d66838c8c82b37e826f2d66ed9dbfedac0b895e06c9eb8f7fdd

  • SSDEEP

    12288:4oSoGX2ry3mFpqjgS+CLuE0Fq7qUckNxxA7WkR:RSoGmr8mFpq8SjLuS7qjkNK

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

SF5USQEmssTrQl4w

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/4iZFGLTi

aes.plain
1
fIf94mB2fjq2edu77JEC2Q==

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe
    "C:\Users\Admin\AppData\Local\Temp\295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FeAlvpvraR.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1084
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FeAlvpvraR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3F9.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1672
    • C:\Users\Admin\AppData\Local\Temp\295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe
      "C:\Users\Admin\AppData\Local\Temp\295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4484

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    pastebin.com
    295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    172.67.19.24
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    104.20.4.235
  • flag-us
    GET
    https://pastebin.com/raw/4iZFGLTi
    295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe
    Remote address:
    172.67.19.24:443
    Request
    GET /raw/4iZFGLTi HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 08 Nov 2024 01:01:05 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: EXPIRED
    Last-Modified: Fri, 08 Nov 2024 01:01:05 GMT
    Server: cloudflare
    CF-RAY: 8df1a13b5aa363ad-LHR
  • flag-us
    DNS
    24.19.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    24.19.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.130.38.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.130.38.84.in-addr.arpa
    IN PTR
    Response
    134.130.38.84.in-addr.arpa
    IN PTR
    ip-130-134dataclubinfo
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 172.67.19.24:443
    https://pastebin.com/raw/4iZFGLTi
    tls, http
    295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe
    772 B
    3.9kB
    9
    10

    HTTP Request

    GET https://pastebin.com/raw/4iZFGLTi

    HTTP Response

    200
  • 84.38.130.134:7000
    295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe
    2.7kB
    1.5kB
    31
    29
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    pastebin.com
    dns
    295a1fe5ff733dde577267491fa637a43dfb21930c60e996121eeec21d98d528.exe
    58 B
    106 B
    1
    1

    DNS Request

    pastebin.com

    DNS Response

    172.67.19.24
    104.20.3.235
    104.20.4.235

  • 8.8.8.8:53
    24.19.67.172.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    24.19.67.172.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    134.130.38.84.in-addr.arpa
    dns
    72 B
    110 B
    1
    1

    DNS Request

    134.130.38.84.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    75.209.201.84.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    75.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    d9e5484b1264617b9738b646aede9c87

    SHA1

    f37f42e4a44a0a382810d7bb9a54c7ba6ee2b83a

    SHA256

    64f7e7e11b64984a169ce4a1e6b7a1279a6635c97a0ceee0772e414fce49e579

    SHA512

    37d9b27757b43bc80cdaaeafe2d3d1bfd5fa8229e8db45bbe6130bcc4b90c10840378d692ebcef63dfb5ff350022a0812d767af67f62fa8c88a3023bd23b9d91

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ns2cotch.gcs.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\tmpD3F9.tmp

    Filesize

    1KB

    MD5

    52621e7fc3d2b19e99ad6c6c14689847

    SHA1

    c94dbb97348f557fa5115d33f2be08782eda52f2

    SHA256

    c4f97d37064f553f718c402e129cacd206e9b713d8f010cdcc69714b6dbeda05

    SHA512

    a117f9a0fb963dbca5060d31217853276a271673a11b95d8ef4b80c4f72d3d18a62a04b8e274cd961711df5c2e512954030de6f8ccebd10d9b2605890c5bd3d0

  • memory/316-49-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/316-5-0x0000000005BA0000-0x0000000005BAA000-memory.dmp

    Filesize

    40KB

  • memory/316-6-0x0000000005D00000-0x0000000005D9C000-memory.dmp

    Filesize

    624KB

  • memory/316-7-0x0000000005E30000-0x0000000005E4C000-memory.dmp

    Filesize

    112KB

  • memory/316-8-0x000000007498E000-0x000000007498F000-memory.dmp

    Filesize

    4KB

  • memory/316-9-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/316-10-0x0000000003400000-0x0000000003452000-memory.dmp

    Filesize

    328KB

  • memory/316-0-0x000000007498E000-0x000000007498F000-memory.dmp

    Filesize

    4KB

  • memory/316-4-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/316-2-0x0000000005EB0000-0x0000000006454000-memory.dmp

    Filesize

    5.6MB

  • memory/316-3-0x0000000005A00000-0x0000000005A92000-memory.dmp

    Filesize

    584KB

  • memory/316-1-0x0000000000FA0000-0x0000000001030000-memory.dmp

    Filesize

    576KB

  • memory/1084-62-0x0000000005420000-0x000000000543E000-memory.dmp

    Filesize

    120KB

  • memory/1084-45-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/1084-24-0x00000000060F0000-0x0000000006444000-memory.dmp

    Filesize

    3.3MB

  • memory/1084-22-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/1084-77-0x0000000007C90000-0x0000000007D26000-memory.dmp

    Filesize

    600KB

  • memory/1084-51-0x00000000078A0000-0x00000000078D2000-memory.dmp

    Filesize

    200KB

  • memory/1084-25-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/1084-88-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/1084-74-0x0000000008060000-0x00000000086DA000-memory.dmp

    Filesize

    6.5MB

  • memory/1084-80-0x0000000007C50000-0x0000000007C64000-memory.dmp

    Filesize

    80KB

  • memory/1084-48-0x00000000066D0000-0x00000000066EE000-memory.dmp

    Filesize

    120KB

  • memory/1084-50-0x0000000006C70000-0x0000000006CBC000-memory.dmp

    Filesize

    304KB

  • memory/1084-79-0x0000000007C40000-0x0000000007C4E000-memory.dmp

    Filesize

    56KB

  • memory/1084-52-0x000000006FEC0000-0x000000006FF0C000-memory.dmp

    Filesize

    304KB

  • memory/3064-15-0x0000000002870000-0x00000000028A6000-memory.dmp

    Filesize

    216KB

  • memory/3064-20-0x0000000005140000-0x00000000051A6000-memory.dmp

    Filesize

    408KB

  • memory/3064-63-0x000000006FEC0000-0x000000006FF0C000-memory.dmp

    Filesize

    304KB

  • memory/3064-73-0x0000000007130000-0x00000000071D3000-memory.dmp

    Filesize

    652KB

  • memory/3064-89-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/3064-75-0x0000000007480000-0x000000000749A000-memory.dmp

    Filesize

    104KB

  • memory/3064-76-0x0000000007500000-0x000000000750A000-memory.dmp

    Filesize

    40KB

  • memory/3064-26-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/3064-78-0x0000000007680000-0x0000000007691000-memory.dmp

    Filesize

    68KB

  • memory/3064-19-0x0000000005090000-0x00000000050B2000-memory.dmp

    Filesize

    136KB

  • memory/3064-21-0x00000000051B0000-0x0000000005216000-memory.dmp

    Filesize

    408KB

  • memory/3064-81-0x00000000077C0000-0x00000000077DA000-memory.dmp

    Filesize

    104KB

  • memory/3064-82-0x00000000077A0000-0x00000000077A8000-memory.dmp

    Filesize

    32KB

  • memory/3064-18-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/3064-17-0x0000000074980000-0x0000000075130000-memory.dmp

    Filesize

    7.7MB

  • memory/3064-16-0x0000000005240000-0x0000000005868000-memory.dmp

    Filesize

    6.2MB

  • memory/4484-46-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.