Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 20:48

General

  • Target

    TalibanStealerInstaller.exe

  • Size

    4.1MB

  • MD5

    7531fbb7431039bda2b19160e0b9c2d4

  • SHA1

    b7f4a971ebf8128ee1ea7cb764b9582fb73b8002

  • SHA256

    6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8

  • SHA512

    5b8b09d896e12f3da879939f3c925da58ba79c6c1f2559594b1eb11d8fd5f63d3afeb12484b8656e0ba929cb0bb7fbb67a566d3599769c955885ca21b4036487

  • SSDEEP

    98304:51mCYY8UGo4x83fa1lyrd3qNz6VTDwgiLC/sE1:nmCWUUqi1s530+VohE

Malware Config

Extracted

Family

xworm

C2

lijaligibidu-35558.portmap.host:35558

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Security.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe
      "C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBjACMAPgA="
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2408
      • C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdwBiACMAPgA="
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2404
        • C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe
          "C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:300
      • C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates system info in registry
        PID:1480
    • C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
      "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe

    Filesize

    2.5MB

    MD5

    cdfcc41584dcd2a57da70353cb9955a8

    SHA1

    78b0a8cda3187d7ba842c9148446da5c628370b5

    SHA256

    be453771400d21a320f759b3b99bd7cf07d9d8301db6bce115bafae1aff79fb3

    SHA512

    4db311aac921a20b9be5c28e66b54912065ac5aeb56b45c20fe7383ff69aa50622e6da383f029a6291525457439cd2e6ac403860af4d82bd61a86df3aad9e7dc

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    3fa53b3b4ea5788d7bec18d9ccc76757

    SHA1

    a504e104292591f6364c609a996a60995000bd5d

    SHA256

    bc29ed4b387050964b53662f4740ed98d48590b752b9ffd653742430463dda1b

    SHA512

    10f8d51b797ae83a48d274bcb19e96cbd8860a4e3d002508a8dd9a8aa17adff0fd22ff3fa3d9def17e111c7aae3e0b49cccdf91995d80c3213a7d6aaa3e5df73

  • C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe

    Filesize

    3.7MB

    MD5

    0bd9c3971db333e1ccc5c327c4b06baa

    SHA1

    2e319ceb3f8fd1cd61d5e40002e493117ed9321d

    SHA256

    651b7894bf375daa0ec4d1fe71ba43f5fd3fcf62363d4141a767f7c8abedb216

    SHA512

    997b7356d55218f72e289b95b6170fb7c8998a2caedc19614d118f6566453301403339a3db6a0a9b8b9d73feb17947661571040a458e938c7db649b637bb39bb

  • C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

    Filesize

    75KB

    MD5

    cf219a189dae4a022f26dd58cd5367e6

    SHA1

    76c2e7b756e894afc4e5fd7267fce398d58c518f

    SHA256

    725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

    SHA512

    21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

  • \Users\Admin\AppData\Local\Temp\Windows Security.exe

    Filesize

    1018KB

    MD5

    d8cdeec022d5fda0ab78a7ecc9efa3ae

    SHA1

    3cb31d1646d3f63019a0c3745d3f2c62bdaab243

    SHA256

    e5b7e580db8476b8e4d2ae806288984df4eb0c5a061bed61c77157a2628ae1ea

    SHA512

    4ddd191a8c352cef83ba3dee0a2ba15fcd95c397fc13af152c2ef9731ec66c7ee332c8079567ee03e77a38225a8453aee798f573d25c35cb98921d09597ed63e

  • \Users\Admin\AppData\Local\Temp\c9IDU7463.exe

    Filesize

    971KB

    MD5

    26efc684ddd0782b295a6ee4a76e3256

    SHA1

    08cc73ef5c1b02e09765181a5acee1a7018dcffc

    SHA256

    bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

    SHA512

    20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

  • memory/300-42-0x00000000009C0000-0x0000000000ABA000-memory.dmp

    Filesize

    1000KB

  • memory/1480-38-0x0000000001240000-0x00000000014BE000-memory.dmp

    Filesize

    2.5MB

  • memory/1480-43-0x000000001B0A0000-0x000000001B1EE000-memory.dmp

    Filesize

    1.3MB

  • memory/1480-44-0x0000000000150000-0x0000000000164000-memory.dmp

    Filesize

    80KB

  • memory/1480-45-0x000000001B890000-0x000000001BAA6000-memory.dmp

    Filesize

    2.1MB

  • memory/2816-0-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

    Filesize

    4KB

  • memory/2816-1-0x0000000000CE0000-0x00000000010F4000-memory.dmp

    Filesize

    4.1MB

  • memory/2976-12-0x0000000000850000-0x0000000000868000-memory.dmp

    Filesize

    96KB

  • memory/2976-46-0x000007FEF4613000-0x000007FEF4614000-memory.dmp

    Filesize

    4KB