Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

NLHybrid Fixer.exe

windows7-x64

10

NLHybrid Fixer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2578s
  • max time network
    2289s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 06:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NLHybrid Fixer.exe

  • Size

    42KB

  • MD5

    269085c7755574a5cd840b298a0b4a55

  • SHA1

    3b20a9f3c0e5ed34d37c5c915c07fd93da7d7cbd

  • SHA256

    ee94f31406ba029502b3737f9d2c2d2d22448643deaa3095239a55b58b9169c8

  • SHA512

    47b5782e53cf03bb5eb8f96584b9e0608bc10038b8721761bf67af75ed0b77a2e51ef94a9d62302e6e0d45885e72d47b80815caa8c063a616d50b646885b5f65

  • SSDEEP

    768:yvD19vXwj/0OhWgEiymT+jxPuqF3t9NRX6POChM0LevH:I19/wj/F8iy/P5F99NRX6POCK0k

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

remote-newest.gl.at.ply.gg:62113

fund-scared.gl.at.ply.gg:62113
Mutex

UrM5eoX12ULh6st6

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    win64updater.exe

aes.plain
1
a14YvqGoNTGPf0NW7BtDBg==

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe
    "C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NLHybrid Fixer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\win64updater.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'win64updater.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win64updater" /tr "C:\Users\Admin\win64updater.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2600
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "win64updater"
      2⤵
        PID:1808
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp40D7.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1208

    Network

    • flag-us
      DNS
      fund-scared.gl.at.ply.gg
      NLHybrid Fixer.exe
      Remote address:
      8.8.8.8:53
      Request
      fund-scared.gl.at.ply.gg
      IN A
      Response
      fund-scared.gl.at.ply.gg
      IN A
      147.185.221.22
    • 147.185.221.22:62113
      fund-scared.gl.at.ply.gg
      NLHybrid Fixer.exe
      460 B
       191 B
       4
      4
    • 8.8.8.8:53
      fund-scared.gl.at.ply.gg
      dns
      NLHybrid Fixer.exe
      70 B
       86 B
       1
      1

      DNS Request

      fund-scared.gl.at.ply.gg

      DNS Response

      147.185.221.22

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp40D7.tmp.bat
      Filesize

      166B

      MD5

      24bba24ce6c7f18f14decc7f434b91fc

      SHA1

      2b8295776125c1628cdb535746dc3feb7c885a74

      SHA256

      4bc839944bed015e972d45d8befe3dcd4a3ba91de9766e8916ca0834984267e5

      SHA512

      6c641e56d9befa711e614dbc6b0d84a74c7addd099fb43fbfeabfe441e19106c37d300b033bcfd38a87c3e5d00304ee7153be8fd794ac46d536339a08e32970c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      fdbdfb69f135192350756a9e84d10534

      SHA1

      1167d88506ecd591eb64f6b6b0748939de1d05e6

      SHA256

      9ff21c98d15d1b22e2c87fc29c7f3e521c378639f3e1e3a8b2445830f10c1f53

      SHA512

      f972a9c77687996b9fd890e24e5632c62dadc028f3d3be550d9ab0fe139ed2bc79f152d8a0abc69d8346a3b8b2eb6d829d2c165dab1f5116f5eac4798dafbd32

      Download Submit

    • memory/828-15-0x00000000022C0000-0x00000000022C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/828-14-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2256-7-0x000000001B7B0000-0x000000001BA92000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2256-8-0x0000000001E60000-0x0000000001E68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2256-6-0x0000000002C40000-0x0000000002CC0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2848-0-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2848-31-0x000000001B0F0000-0x000000001B170000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2848-32-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2848-33-0x000000001B0F0000-0x000000001B170000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2848-1-0x0000000000DF0000-0x0000000000E00000-memory.dmp

      Filesize

      64KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.