Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1795s -
max time network
1797s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 18:28
Behavioral task
behavioral1
Sample
LadBeams.exe
Resource
win10v2004-20241007-en
General
-
Target
LadBeams.exe
-
Size
36KB
-
MD5
10e43f7859cef3d334e51f2043c7521d
-
SHA1
0a4d61955bcd2a849d94f3421a1b4c8643a63378
-
SHA256
3a07029a28172b8ee690bbf943ac0f45f819611b90bd2dda444aa972d145cf38
-
SHA512
22bcdcd592035b12b81c76b896372c05b4ffcb983cac2777510b924a49ed98b74409d6ea83829f3bfe1898dd99532db677b9bdc403a64fbd6eaed7692c3720a3
-
SSDEEP
768:kra5QDoJFA4g+xCwdW9OFpVFr9oxOwhmu/ZaR:+a5QDeRg+8wgSXFr9oxOw0hR
Malware Config
Extracted
xworm
3.1
TXNXspXqHQ7kFGni
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/1940-1-0x00000000004C0000-0x00000000004D0000-memory.dmp family_xworm behavioral1/files/0x0010000000023b3f-8.dat family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation LadBeams.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation LadBeams.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LadBeams.lnk LadBeams.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LadBeams.lnk LadBeams.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LadBeams.lnk LadBeams.exe -
Executes dropped EXE 26 IoCs
pid Process 676 LadBeams.exe 3276 LadBeams.exe 4292 LadBeams.exe 2024 LadBeams.exe 1660 LadBeams.exe 5092 LadBeams.exe 3152 LadBeams.exe 636 LadBeams.exe 3564 LadBeams.exe 4592 LadBeams.exe 3816 LadBeams.exe 3456 LadBeams.exe 4756 LadBeams.exe 2256 LadBeams.exe 2388 LadBeams.exe 1556 LadBeams.exe 2356 LadBeams.exe 368 LadBeams.exe 4948 LadBeams.exe 636 LadBeams.exe 3580 LadBeams.exe 4664 LadBeams.exe 4172 LadBeams.exe 1688 LadBeams.exe 4876 LadBeams.exe 2392 LadBeams.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LadBeams = "C:\\Users\\Admin\\AppData\\Roaming\\LadBeams.exe" LadBeams.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LadBeams = "C:\\Users\\Admin\\AppData\\Roaming\\LadBeams.exe" LadBeams.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4636 schtasks.exe 1532 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1940 LadBeams.exe 2392 LadBeams.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1940 LadBeams.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 1940 LadBeams.exe Token: SeDebugPrivilege 676 LadBeams.exe Token: SeDebugPrivilege 3276 LadBeams.exe Token: SeDebugPrivilege 4292 LadBeams.exe Token: SeDebugPrivilege 2024 LadBeams.exe Token: SeDebugPrivilege 1660 LadBeams.exe Token: SeDebugPrivilege 5092 LadBeams.exe Token: SeDebugPrivilege 3152 LadBeams.exe Token: SeDebugPrivilege 636 LadBeams.exe Token: SeDebugPrivilege 3564 LadBeams.exe Token: SeDebugPrivilege 4592 LadBeams.exe Token: SeDebugPrivilege 3816 LadBeams.exe Token: SeDebugPrivilege 3456 LadBeams.exe Token: SeDebugPrivilege 4756 LadBeams.exe Token: SeDebugPrivilege 2256 LadBeams.exe Token: SeDebugPrivilege 2388 LadBeams.exe Token: SeDebugPrivilege 2356 LadBeams.exe Token: SeDebugPrivilege 368 LadBeams.exe Token: SeDebugPrivilege 4948 LadBeams.exe Token: SeDebugPrivilege 636 LadBeams.exe Token: SeDebugPrivilege 3580 LadBeams.exe Token: SeDebugPrivilege 4664 LadBeams.exe Token: SeDebugPrivilege 4172 LadBeams.exe Token: SeDebugPrivilege 1688 LadBeams.exe Token: SeDebugPrivilege 4876 LadBeams.exe Token: SeDebugPrivilege 2392 LadBeams.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1940 LadBeams.exe 2392 LadBeams.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1940 wrote to memory of 4636 1940 LadBeams.exe 91 PID 1940 wrote to memory of 4636 1940 LadBeams.exe 91 PID 2392 wrote to memory of 1532 2392 LadBeams.exe 132 PID 2392 wrote to memory of 1532 2392 LadBeams.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\LadBeams.exe"C:\Users\Admin\AppData\Local\Temp\LadBeams.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LadBeams" /tr "C:\Users\Admin\AppData\Roaming\LadBeams.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4636
-
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
PID:1556
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
C:\Users\Admin\AppData\Roaming\LadBeams.exeC:\Users\Admin\AppData\Roaming\LadBeams.exe1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LadBeams" /tr "C:\Users\Admin\AppData\Roaming\LadBeams.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1532
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
36KB
MD510e43f7859cef3d334e51f2043c7521d
SHA10a4d61955bcd2a849d94f3421a1b4c8643a63378
SHA2563a07029a28172b8ee690bbf943ac0f45f819611b90bd2dda444aa972d145cf38
SHA51222bcdcd592035b12b81c76b896372c05b4ffcb983cac2777510b924a49ed98b74409d6ea83829f3bfe1898dd99532db677b9bdc403a64fbd6eaed7692c3720a3
-
Filesize
778B
MD55624e2f53102282c045bc6fbf292b841
SHA18ad487702deca823599dc824fef3f83d3d57a930
SHA2568ccb0a75c4b4275dd65591898146ab0cd8a3e185a8b9c54694118a199f7bbcd2
SHA512ae7d4dcddceb9a932fd17d54f25cb0066708aadc8d482ab50dc2b3fa4e2427c3ff7e0d6e2c8e903c53286d07326d8e5659e887a5c2887b291f350764ee38f3d3