Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1795s
  • max time network
    1797s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 18:28

General

  • Target

    LadBeams.exe

  • Size

    36KB

  • MD5

    10e43f7859cef3d334e51f2043c7521d

  • SHA1

    0a4d61955bcd2a849d94f3421a1b4c8643a63378

  • SHA256

    3a07029a28172b8ee690bbf943ac0f45f819611b90bd2dda444aa972d145cf38

  • SHA512

    22bcdcd592035b12b81c76b896372c05b4ffcb983cac2777510b924a49ed98b74409d6ea83829f3bfe1898dd99532db677b9bdc403a64fbd6eaed7692c3720a3

  • SSDEEP

    768:kra5QDoJFA4g+xCwdW9OFpVFr9oxOwhmu/ZaR:+a5QDeRg+8wgSXFr9oxOw0hR

Malware Config

Extracted

Family

xworm

Version

3.1

Mutex

TXNXspXqHQ7kFGni

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 26 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\LadBeams.exe
    "C:\Users\Admin\AppData\Local\Temp\LadBeams.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LadBeams" /tr "C:\Users\Admin\AppData\Roaming\LadBeams.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4636
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:676
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3276
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4292
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2024
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1660
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5092
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3152
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:636
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3564
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4592
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3816
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3456
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4756
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2256
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2388
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    PID:1556
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2356
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:368
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4948
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:636
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3580
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4664
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4172
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1688
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4876
  • C:\Users\Admin\AppData\Roaming\LadBeams.exe
    C:\Users\Admin\AppData\Roaming\LadBeams.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LadBeams" /tr "C:\Users\Admin\AppData\Roaming\LadBeams.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LadBeams.exe.log

    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

  • C:\Users\Admin\AppData\Roaming\LadBeams.exe

    Filesize

    36KB

    MD5

    10e43f7859cef3d334e51f2043c7521d

    SHA1

    0a4d61955bcd2a849d94f3421a1b4c8643a63378

    SHA256

    3a07029a28172b8ee690bbf943ac0f45f819611b90bd2dda444aa972d145cf38

    SHA512

    22bcdcd592035b12b81c76b896372c05b4ffcb983cac2777510b924a49ed98b74409d6ea83829f3bfe1898dd99532db677b9bdc403a64fbd6eaed7692c3720a3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LadBeams.lnk

    Filesize

    778B

    MD5

    5624e2f53102282c045bc6fbf292b841

    SHA1

    8ad487702deca823599dc824fef3f83d3d57a930

    SHA256

    8ccb0a75c4b4275dd65591898146ab0cd8a3e185a8b9c54694118a199f7bbcd2

    SHA512

    ae7d4dcddceb9a932fd17d54f25cb0066708aadc8d482ab50dc2b3fa4e2427c3ff7e0d6e2c8e903c53286d07326d8e5659e887a5c2887b291f350764ee38f3d3

  • memory/676-15-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/676-17-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/1940-0-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

    Filesize

    8KB

  • memory/1940-1-0x00000000004C0000-0x00000000004D0000-memory.dmp

    Filesize

    64KB

  • memory/1940-10-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/1940-11-0x00007FFBFD203000-0x00007FFBFD205000-memory.dmp

    Filesize

    8KB

  • memory/1940-12-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB

  • memory/1940-46-0x00007FFBFD200000-0x00007FFBFDCC1000-memory.dmp

    Filesize

    10.8MB