Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6f935745c6...47.exe

windows7-x64

10

6f935745c6...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 15:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe

  • Size

    37KB

  • MD5

    ed094471653276ce7f933ff63508c4b6

  • SHA1

    5fe4c184e7915d7d79ada1f123de7263f7e3f41a

  • SHA256

    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47

  • SHA512

    0b1a108dea4f7540b5a52d4080f34d7acf6e91d90412acbc75e02510771b8e28d65f912756263bd33f986cb28a0e935616b14f1913d93e68c71f9f82c69d7fee

  • SSDEEP

    768:ztGRiYTgP/NNo5GfjS61216La/FP192iOphi7X4:zkRi+gsGu6McLgFt92iOpeX4

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

role-fresh.gl.at.ply.gg:2522

Mutex

tZ4Yyzni0aPUlFjz

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain
1
L0PNu2siO768+NMp4d7npA==

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    "C:\Users\Admin\AppData\Local\Temp\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47" /tr "C:\ProgramData\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2724
  • C:\ProgramData\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    C:\ProgramData\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4884
  • C:\ProgramData\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    C:\ProgramData\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    role-fresh.gl.at.ply.gg
    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    Remote address:
    8.8.8.8:53
    Request
    role-fresh.gl.at.ply.gg
    IN A
    Response
    role-fresh.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.117.19.2.in-addr.arpa
    IN PTR
    Response
    75.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 147.185.221.19:2522
    role-fresh.gl.at.ply.gg
    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    260 B
     5
  • 147.185.221.19:2522
    role-fresh.gl.at.ply.gg
    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    260 B
     5
  • 147.185.221.19:2522
    role-fresh.gl.at.ply.gg
    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    260 B
     5
  • 147.185.221.19:2522
    role-fresh.gl.at.ply.gg
    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    role-fresh.gl.at.ply.gg
    dns
    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    69 B
     85 B
     1
    1

    DNS Request

    role-fresh.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    75.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    75.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe
    Filesize

    37KB

    MD5

    ed094471653276ce7f933ff63508c4b6

    SHA1

    5fe4c184e7915d7d79ada1f123de7263f7e3f41a

    SHA256

    6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47

    SHA512

    0b1a108dea4f7540b5a52d4080f34d7acf6e91d90412acbc75e02510771b8e28d65f912756263bd33f986cb28a0e935616b14f1913d93e68c71f9f82c69d7fee

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6f935745c6bffb29341d1766661ba96bfef6bdf0fa016cec6169afc33a624f47.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • memory/4884-13-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4884-16-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4980-0-0x00007FF976223000-0x00007FF976225000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4980-1-0x0000000000090000-0x00000000000A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-10-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4980-14-0x00007FF976223000-0x00007FF976225000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4980-17-0x00007FF976220000-0x00007FF976CE1000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.