Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 19:43
Static task
static1
Behavioral task
behavioral1
Sample
951a32aa2dc318f958f6343a90520b9a.exe
Resource
win7-20240903-en
General
-
Target
951a32aa2dc318f958f6343a90520b9a.exe
-
Size
703KB
-
MD5
951a32aa2dc318f958f6343a90520b9a
-
SHA1
c54777ef2b539737582b700935beb4d09da9eaf2
-
SHA256
7245244c75276269f56cce5f81194681a881d4746a7abec6807f28a19b04ba66
-
SHA512
25fade9e618fc12220863fea258cb9b00ea6e3459c5d66e0951b3ee8d846fb33259160d1b826f58589c003593961652ecaaf252aadbeaf5371f8ee888a211547
-
SSDEEP
12288:vp4ZLalVqAJVLBNAliYOapsNlW3R5rad8pz4U1tF5qBsy7BnX+uUnsAS:v+Z2/rJjNAliYOBMrE8GUaBsyNXmF
Malware Config
Extracted
xworm
5.0
87.120.117.209:7000
U2y4hALpuDGJOJr0
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023ca6-16.dat family_xworm behavioral2/memory/316-19-0x0000000000AB0000-0x0000000000ABE000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 951a32aa2dc318f958f6343a90520b9a.exe -
Executes dropped EXE 3 IoCs
pid Process 1772 fOr6oSoLC6.exe 316 S3VgvrtApm.exe 3940 fOr6oSoLC6.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1772 set thread context of 3940 1772 fOr6oSoLC6.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3944 1772 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fOr6oSoLC6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fOr6oSoLC6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 951a32aa2dc318f958f6343a90520b9a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 316 S3VgvrtApm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1772 1968 951a32aa2dc318f958f6343a90520b9a.exe 85 PID 1968 wrote to memory of 1772 1968 951a32aa2dc318f958f6343a90520b9a.exe 85 PID 1968 wrote to memory of 1772 1968 951a32aa2dc318f958f6343a90520b9a.exe 85 PID 1968 wrote to memory of 316 1968 951a32aa2dc318f958f6343a90520b9a.exe 87 PID 1968 wrote to memory of 316 1968 951a32aa2dc318f958f6343a90520b9a.exe 87 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88 PID 1772 wrote to memory of 3940 1772 fOr6oSoLC6.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\951a32aa2dc318f958f6343a90520b9a.exe"C:\Users\Admin\AppData\Local\Temp\951a32aa2dc318f958f6343a90520b9a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Roaming\fOr6oSoLC6.exe"C:\Users\Admin\AppData\Roaming\fOr6oSoLC6.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Roaming\fOr6oSoLC6.exe"C:\Users\Admin\AppData\Roaming\fOr6oSoLC6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 2643⤵
- Program crash
PID:3944
-
-
-
C:\Users\Admin\AppData\Roaming\S3VgvrtApm.exe"C:\Users\Admin\AppData\Roaming\S3VgvrtApm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1772 -ip 17721⤵PID:184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD585d9338ae7f8665821638125a394cb4f
SHA1269be255f238e7be7e4976204b6605ee069e55d9
SHA256a1c97fe85170fd6acd766d965f1931e32692ffa92db222492fd24b4421b126c9
SHA5123b66e2f2893ef61a5acf2e21f2d216bb0da18e54a1f1f06eba8167f71e1ee7c1a1efa208f625f5c82dfd4c391ba3b89b545adffc9baddde84fccf95872fe9d45
-
Filesize
459KB
MD51d97c138b9e3c19f4900a6a348240430
SHA184ceb6309b2efc0fdfa1fee6a6420a615d618623
SHA25677f6caa506303dbdcf644380adf5cb01b122f6f5efa3a54d7492754075243e2b
SHA512bd8b8ab7717ccc1b9c41ddba7d3b48cd4e565f51b61357b46677905d5faf3eb98ba7bca0b39f0fb05fd97300009568ecc9408fd9113a77d3642e8924e3074f73