Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

eheheh.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    69s
  • max time network
    54s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/11/2024, 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eheheh.exe

  • Size

    83KB

  • MD5

    6bb17f4042738219708a1fcd785b2f20

  • SHA1

    7b7f33f12a9a7602ad2b1128ca51b4336c63bf8b

  • SHA256

    52f750c805eb0d8d1175b9b648bc6e458bcbb33048c864d8e064099c44addfa1

  • SHA512

    f4c22bc88e3644621fcc2853562e8312a4b68c673148742b0cae3c54c0e7c80f19c31d9d32114a385fabb1248740467b19bea1ab0d6d05c42ca35878e4c8e8e6

  • SSDEEP

    1536:POGdaV0R6Gkp3UyLshEjoE9I8uEMWb15uaGM53/m8AWm6Z3JOY451:WGdBS3Un8oE9I8+Wb15uaxxL3JOY43

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

about-publishing.gl.at.ply.gg:49157

Attributes
  • Install_directory

    %AppData%

  • install_file

    update.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eheheh.exe
    "C:\Users\Admin\AppData\Local\Temp\eheheh.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5168
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\UninstallBackup.cmd" "
    1⤵
      PID:1604
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4608
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ef6297f-0b6b-45bd-86d6-e2487386a0b6} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" gpu
          3⤵
            PID:1676
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3a5cf23-6aec-4173-aaae-9172bb5b3e91} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" socket
            3⤵
              PID:2748
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3136 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a563e04-4331-44e7-bb9d-1fae15a95f66} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
              3⤵
                PID:5520
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3528 -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3192 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d1fcf96-c382-45f4-ac1b-e0d0d5cf0c8a} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                3⤵
                  PID:1456
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84d3e5bf-737b-481e-bf4a-ad86055e9d79} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" utility
                  3⤵
                  • Checks processor information in registry
                  PID:5836
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1560 -childID 3 -isForBrowser -prefsHandle 912 -prefMapHandle 1120 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af1e7b39-8d4c-43e2-bf4a-edd5bb267ffe} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                  3⤵
                    PID:4132
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1404 -childID 4 -isForBrowser -prefsHandle 2728 -prefMapHandle 5596 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00c84fa6-c549-4e48-9056-e7c671cda980} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                    3⤵
                      PID:3332
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5944 -prefMapHandle 5952 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8300b4b9-2530-41f2-a1af-9dfff8aa0db7} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                      3⤵
                        PID:2320
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -childID 6 -isForBrowser -prefsHandle 6248 -prefMapHandle 6240 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1de6718b-666d-4c27-b70d-019180026782} 4608 "\\.\pipe\gecko-crash-server-pipe.4608" tab
                        3⤵
                          PID:2176

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\activity-stream.discovery_stream.json
                      Filesize

                      25KB

                      MD5

                      29380bbd40f16c1526da5e9036be9a9a

                      SHA1

                      1bf757b5424cf74a0599386dd212240d7dba7ba3

                      SHA256

                      1d02e0b4c6ad2c222b58d828e1b8272fd96952954bb7da930623a8e8845811fb

                      SHA512

                      11cdbf6ae39d524906ce7b696e764960add77e319ef520672317259acaffddece2a8f45f977767f703f2aad190411f2d0bb931a8b74bdac9253d6e55cb3f6312

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                      Filesize

                      479KB

                      MD5

                      09372174e83dbbf696ee732fd2e875bb

                      SHA1

                      ba360186ba650a769f9303f48b7200fb5eaccee1

                      SHA256

                      c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                      SHA512

                      b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                      Filesize

                      13.8MB

                      MD5

                      0a8747a2ac9ac08ae9508f36c6d75692

                      SHA1

                      b287a96fd6cc12433adb42193dfe06111c38eaf0

                      SHA256

                      32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                      SHA512

                      59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin
                      Filesize

                      8KB

                      MD5

                      de045de7f840179e83750f169f460e82

                      SHA1

                      23995c91a4d8fcde439d19b6533496744e805daf

                      SHA256

                      c3a9a8285c8bc0ace2d2dbaed3cbe6449ab5f95c51ccf7f73c8d9b368597a536

                      SHA512

                      aeed22a0bb699e2f460ca6a5ea26bfc2492210cddee988c73a6b7e5f7d0b7296cde8a95e9fa6f6487d3a65b41874e4f852aaa382e7dfd60f37216e86722713dd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin
                      Filesize

                      12KB

                      MD5

                      09fdf202b3cb233be9cf5f079d093a2b

                      SHA1

                      75dd7556d2cdef71df31064a56957842c1281def

                      SHA256

                      adac4fe90ccea9e1fd4da5c98126e64e32a0cf02dc67c32ce83283d866719e0d

                      SHA512

                      2642ae672822751d4981a08c6e3bb1877e086f66c6a5796e7abc68753876a56b9ddb257e2ec8ebd54ffb26fd6db7e1d1a0f9dc591eb0581d88f54902f703191c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      178ec991339cd699bb7b281d8086c7ee

                      SHA1

                      ee5599fbbe0963e899d8c5524e5393ee9001b78f

                      SHA256

                      6ba7ad9299e904b314e96395410bdfa4994d0318d94543c2c013c554fa42c1cb

                      SHA512

                      6a70946135e6470f5edcf16b9568bb7ef252c6647981c7f2c7942481fadd127af2ce88c1571fd92c6ecf378e82860103450cc57805c30f0ed27d5b4ec60c41e9

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      6c7571d8dfce5bd0cb55697e21d845f9

                      SHA1

                      6294613faf7f646ce470837cf1605c2e562ce566

                      SHA256

                      3a2a8992dadccdf156315e71f45ce857168b81428384dd238d1cfa7fde746a83

                      SHA512

                      e49e6d11f21d01ba8c3c6380cf0e2c30c0489c3cffc2a2bdc2f0499211b5681955e021522085dedb2280b38f955cc780ba6b8ec64e4ab13d43d54798330ed58c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      17KB

                      MD5

                      10a6a1d5cc3cd0d0f402661ebbecf67a

                      SHA1

                      5279cce7ce676dc85630d3ecc4119fc9150702c5

                      SHA256

                      9753a0005f6ea2f49b39df3bf3fe61c14b28ea7a0c2beeb3b6efcc7e547899de

                      SHA512

                      62b064deb19eee70eac4417895d572d467c48e3c70a3cf84b5d2d83cda245b57c244a98aaf0934b1f69c41490bb7e327d1076d0e2da08eab19dacfedabbb5cc6

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\29618107-43b5-49b5-a585-c4ffbdb127a5
                      Filesize

                      26KB

                      MD5

                      aef08e98ec870a104edfa1d42da4f016

                      SHA1

                      6e0e65f269be65169784e91180fe6e2e6e6dba0e

                      SHA256

                      5d7f23dfcb9629e67f9cf0b5bda56462e4e7c5afcef7a188d568c4af251eb664

                      SHA512

                      4c0fba9b0c3b0ca44f18e02d30126a1f835fcb2ce60441b965db117f00b315a93026e73bd0e7561a7e163a13c72e81cc74945eb9ed1d7a52a26d9dc997223dde

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\40260918-c6b8-44ea-9909-0bfcaa7ca812
                      Filesize

                      982B

                      MD5

                      8a511b7d72d8ed23856d540690574de0

                      SHA1

                      07e138b8bc4253154c8199ac396887695f8579c0

                      SHA256

                      3fd4d26688ff3ea8fdebd10fbbeb6a5310ad251e0d0e271b92d0ea29477d6593

                      SHA512

                      8960c5ec4f57d667ce594d05bdd8bcc9aaca44f32baaccbd58e10ffb5998460ee721cf1b4be1d766b507e99e398bf8867776f653235f8f3da79f19903ed97900

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\9f712435-660f-4e80-b11e-ed6637cbc001
                      Filesize

                      671B

                      MD5

                      ceee7c6fa5a27bc78346381a674769ce

                      SHA1

                      ed1144b84009ee25163cf270e5244f6e1f298dd9

                      SHA256

                      ec12583e1c68aba4725626ade35aa23c41dcc18a887e0753a9a23a115726c05d

                      SHA512

                      0f99ce09db77a2f7d01ffe390b4c8c2e6a6a52093a7454c8120e0dd23d744f0ec045e15a1e033842e07875ada5c32dd9cfd814a6fdc5f27effc49fbe179b4308

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                      Filesize

                      1.1MB

                      MD5

                      842039753bf41fa5e11b3a1383061a87

                      SHA1

                      3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                      SHA256

                      d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                      SHA512

                      d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                      Filesize

                      116B

                      MD5

                      2a461e9eb87fd1955cea740a3444ee7a

                      SHA1

                      b10755914c713f5a4677494dbe8a686ed458c3c5

                      SHA256

                      4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                      SHA512

                      34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                      Filesize

                      372B

                      MD5

                      bf957ad58b55f64219ab3f793e374316

                      SHA1

                      a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                      SHA256

                      bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                      SHA512

                      79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                      Filesize

                      17.8MB

                      MD5

                      daf7ef3acccab478aaa7d6dc1c60f865

                      SHA1

                      f8246162b97ce4a945feced27b6ea114366ff2ad

                      SHA256

                      bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                      SHA512

                      5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js
                      Filesize

                      11KB

                      MD5

                      45aa51e46f8f8d52eef8c716e0dc7688

                      SHA1

                      a6047a712e9c3db11355182793e625996f3fcb21

                      SHA256

                      d90aa2efbe3f86aecace492b4547266bd56e4e3aac7b741a9957c81ad6c32ff8

                      SHA512

                      e7f692eb419df86c141c26c3ce84bd7fd5f9111f2b3504c258d4c8a5b6708e341a27074c47eb3dd49deafe2344c479369851eed0640d445958d5e8b7d7427bc7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js
                      Filesize

                      10KB

                      MD5

                      f9f5fdfba54ecdb127482b999533b2c0

                      SHA1

                      eec588295e2bd4c01a641e964462fea5b2afc1dc

                      SHA256

                      e298be5b5f632d1e9ba886abe47b36a0fc83dd908a7ed27eb5bc9cbd224c0010

                      SHA512

                      ab49b91960a64777babb876e7c34065930197fb3c6d49e0a41ea627db37df188e18be236bf6a5b3c366edde1a39a9500416d01e3fe7ca0ae455866e954076b5d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\sessionstore-backups\recovery.baklz4
                      Filesize

                      3KB

                      MD5

                      35ba9181f941eeec5e9b17da03803944

                      SHA1

                      947664848a8cfad37b72c3ee2013e8194aa90c14

                      SHA256

                      77aba65e218402ad4bd65ab2611cbd6c17c264fb4afd718c5821377941f0ceef

                      SHA512

                      64cd6384b4ca8d32ea54d1fc4b8e6f3c53fd7bde45c27aa9e14f54216b33d9b996dfa7db5df1a87390e913e8a1385dec893ed2575762237501e6ccacd7eee1d5

                      Download Submit

                    • memory/5168-0-0x00007FF91FE13000-0x00007FF91FE15000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/5168-3-0x00007FF91FE10000-0x00007FF9208D2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/5168-2-0x00007FF91FE10000-0x00007FF9208D2000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/5168-1-0x0000000000D90000-0x0000000000DAC000-memory.dmp

                      Filesize

                      112KB

                      Download