Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e46b1a61a0...6b.exe

windows7-x64

10

e46b1a61a0...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 18:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e46b1a61a02ffd168be568e04d497adb2e91b664ea62ee830a2c91f7fec13f6b.exe

  • Size

    2.9MB

  • MD5

    eae9f5ca7a9cc11cdd6da9889fe85f09

  • SHA1

    937d8d9e6b2eccc6a504a855353fa7e276f97b71

  • SHA256

    e46b1a61a02ffd168be568e04d497adb2e91b664ea62ee830a2c91f7fec13f6b

  • SHA512

    287b066bc59f9fec75460856f82f5fc4dc3132e6f8e1123932c188feacfbc22b82ec82512cd214eb04b288a06e1776beda2997418e6d6dc462e4b7845515b9ed

  • SSDEEP

    49152:CYpiCjKOK0fsrxr6/es0gIfKfkExpNLFeoM6EEk3NsTK8adF:3rK0cxm/d0DUkWVFeoM65NWF

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

client-toilet.gl.at.ply.gg:29921

Mutex

NvsfH1XO1syyGREn

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain
1
a/WOc7Gc9Rtd0bEnita/OQ==

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e46b1a61a02ffd168be568e04d497adb2e91b664ea62ee830a2c91f7fec13f6b.exe
    "C:\Users\Admin\AppData\Local\Temp\e46b1a61a02ffd168be568e04d497adb2e91b664ea62ee830a2c91f7fec13f6b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe
      "C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Users\Admin\AppData\Local\Temp\Fulloption_V2.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Fulloption_V2.1.exe"
      2⤵
      • Executes dropped EXE
      PID:2936

Network

  • flag-us
    DNS
    ip-api.com
    BLACKGODDOM V.2 GOD BY LA.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    BLACKGODDOM V.2 GOD BY LA.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 08 Nov 2024 18:12:16 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 5
    Access-Control-Allow-Origin: *
    X-Ttl: 53
    X-Rl: 42
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    BLACKGODDOM V.2 GOD BY LA.exe
    310 B
     266 B
     5
    2

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 8.8.8.8:53
    ip-api.com
    dns
    BLACKGODDOM V.2 GOD BY LA.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe
    Filesize

    67KB

    MD5

    2b1bcff698482a45a0d01356ad3e0384

    SHA1

    77d106b1495b869600cdfda6afeaec0f75a78634

    SHA256

    a9bd5014b5a6744b0a5c180a3e76ff546a514dcbad8bf2d8c500f903a285424b

    SHA512

    e8b6a729f3b4fc02886aeed232511dc9407a52aae40f01cd2817f8369944b14240bd3edfd573dbdef0d506557f02622148ce4042f6f497c20f1f11af85eeac77

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Fulloption_V2.1.exe
    Filesize

    3.9MB

    MD5

    2f6e9c0dd1c6859a9d6e7acea1db9ac0

    SHA1

    b0dcd2be62b6a559e479de7745ab0988b8b30522

    SHA256

    122e3cb0f2ad233d1a364911d433667e7778f00d9a7d10b954c994f4e8093d1f

    SHA512

    fe3634f46afd5b45f0ffc721a18b5ef1b1344b548f90b8c54ea6995e3d64b7394b56c681b1a0522b67e862fce9d8333b621612a2f03708e7dbc917a28c58c15d

    Download Submit

  • memory/1420-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1420-1-0x000000013F420000-0x000000013F70C000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1420-5-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1420-15-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2808-13-0x0000000000970000-0x0000000000986000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2808-12-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2808-16-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2808-17-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.