Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
31s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
16/11/2024, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
Discord.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Discord.exe
-
Size
923KB
-
MD5
dde9c5a240d1467bbeb73bf9800e2451
-
SHA1
84da3914545cbca748465892deb5c45fe7849ddf
-
SHA256
af652fa448221ed08ba75eb68ad1ba894e4d3bafdbfa4569eef4704fd14c76c7
-
SHA512
ce85de90686c7e64fe90201428993c02461729428a48937961ea6fc09fc7e5e65b13acdeaae54cbdd65ebdf5b93e769ef16020d96094ca498e1699a91c240e77
-
SSDEEP
12288:RiuHvJKVze1rxIH8P2ttPfDBQW6dmlgNlHDCJ9dZay:pPJKzyoUctPLGW6dmlgNljCr1
Malware Config
Extracted
xworm
45.141.27.91:7777
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0026000000045177-15.dat family_xworm behavioral1/memory/2160-27-0x0000000000070000-0x000000000008A000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2052 powershell.exe 2648 powershell.exe 4068 powershell.exe 2476 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation Discord.exe Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 3268 batLocking.exe 2160 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4080 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2052 powershell.exe 2052 powershell.exe 2648 powershell.exe 2648 powershell.exe 4068 powershell.exe 4068 powershell.exe 2476 powershell.exe 2476 powershell.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe 2160 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2160 svchost.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeIncreaseQuotaPrivilege 2052 powershell.exe Token: SeSecurityPrivilege 2052 powershell.exe Token: SeTakeOwnershipPrivilege 2052 powershell.exe Token: SeLoadDriverPrivilege 2052 powershell.exe Token: SeSystemProfilePrivilege 2052 powershell.exe Token: SeSystemtimePrivilege 2052 powershell.exe Token: SeProfSingleProcessPrivilege 2052 powershell.exe Token: SeIncBasePriorityPrivilege 2052 powershell.exe Token: SeCreatePagefilePrivilege 2052 powershell.exe Token: SeBackupPrivilege 2052 powershell.exe Token: SeRestorePrivilege 2052 powershell.exe Token: SeShutdownPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeSystemEnvironmentPrivilege 2052 powershell.exe Token: SeRemoteShutdownPrivilege 2052 powershell.exe Token: SeUndockPrivilege 2052 powershell.exe Token: SeManageVolumePrivilege 2052 powershell.exe Token: 33 2052 powershell.exe Token: 34 2052 powershell.exe Token: 35 2052 powershell.exe Token: 36 2052 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeIncreaseQuotaPrivilege 2648 powershell.exe Token: SeSecurityPrivilege 2648 powershell.exe Token: SeTakeOwnershipPrivilege 2648 powershell.exe Token: SeLoadDriverPrivilege 2648 powershell.exe Token: SeSystemProfilePrivilege 2648 powershell.exe Token: SeSystemtimePrivilege 2648 powershell.exe Token: SeProfSingleProcessPrivilege 2648 powershell.exe Token: SeIncBasePriorityPrivilege 2648 powershell.exe Token: SeCreatePagefilePrivilege 2648 powershell.exe Token: SeBackupPrivilege 2648 powershell.exe Token: SeRestorePrivilege 2648 powershell.exe Token: SeShutdownPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeSystemEnvironmentPrivilege 2648 powershell.exe Token: SeRemoteShutdownPrivilege 2648 powershell.exe Token: SeUndockPrivilege 2648 powershell.exe Token: SeManageVolumePrivilege 2648 powershell.exe Token: 33 2648 powershell.exe Token: 34 2648 powershell.exe Token: 35 2648 powershell.exe Token: 36 2648 powershell.exe Token: SeDebugPrivilege 4068 powershell.exe Token: SeIncreaseQuotaPrivilege 4068 powershell.exe Token: SeSecurityPrivilege 4068 powershell.exe Token: SeTakeOwnershipPrivilege 4068 powershell.exe Token: SeLoadDriverPrivilege 4068 powershell.exe Token: SeSystemProfilePrivilege 4068 powershell.exe Token: SeSystemtimePrivilege 4068 powershell.exe Token: SeProfSingleProcessPrivilege 4068 powershell.exe Token: SeIncBasePriorityPrivilege 4068 powershell.exe Token: SeCreatePagefilePrivilege 4068 powershell.exe Token: SeBackupPrivilege 4068 powershell.exe Token: SeRestorePrivilege 4068 powershell.exe Token: SeShutdownPrivilege 4068 powershell.exe Token: SeDebugPrivilege 4068 powershell.exe Token: SeSystemEnvironmentPrivilege 4068 powershell.exe Token: SeRemoteShutdownPrivilege 4068 powershell.exe Token: SeUndockPrivilege 4068 powershell.exe Token: SeManageVolumePrivilege 4068 powershell.exe Token: 33 4068 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3268 batLocking.exe 3268 batLocking.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3268 batLocking.exe 3268 batLocking.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2160 svchost.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2512 wrote to memory of 3268 2512 Discord.exe 81 PID 2512 wrote to memory of 3268 2512 Discord.exe 81 PID 2512 wrote to memory of 2160 2512 Discord.exe 83 PID 2512 wrote to memory of 2160 2512 Discord.exe 83 PID 3268 wrote to memory of 2136 3268 batLocking.exe 84 PID 3268 wrote to memory of 2136 3268 batLocking.exe 84 PID 2136 wrote to memory of 3832 2136 cmd.exe 85 PID 2136 wrote to memory of 3832 2136 cmd.exe 85 PID 2136 wrote to memory of 5112 2136 cmd.exe 86 PID 2136 wrote to memory of 5112 2136 cmd.exe 86 PID 2136 wrote to memory of 1612 2136 cmd.exe 87 PID 2136 wrote to memory of 1612 2136 cmd.exe 87 PID 3268 wrote to memory of 764 3268 batLocking.exe 89 PID 3268 wrote to memory of 764 3268 batLocking.exe 89 PID 2160 wrote to memory of 2052 2160 svchost.exe 91 PID 2160 wrote to memory of 2052 2160 svchost.exe 91 PID 2160 wrote to memory of 2648 2160 svchost.exe 94 PID 2160 wrote to memory of 2648 2160 svchost.exe 94 PID 2160 wrote to memory of 4068 2160 svchost.exe 98 PID 2160 wrote to memory of 4068 2160 svchost.exe 98 PID 2160 wrote to memory of 2476 2160 svchost.exe 101 PID 2160 wrote to memory of 2476 2160 svchost.exe 101 PID 2160 wrote to memory of 4080 2160 svchost.exe 103 PID 2160 wrote to memory of 4080 2160 svchost.exe 103 PID 3268 wrote to memory of 1976 3268 batLocking.exe 109 PID 3268 wrote to memory of 1976 3268 batLocking.exe 109 PID 3268 wrote to memory of 3080 3268 batLocking.exe 111 PID 3268 wrote to memory of 3080 3268 batLocking.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Discord.exe"C:\Users\Admin\AppData\Local\Temp\Discord.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Roaming\batLocking.exe"C:\Users\Admin\AppData\Roaming\batLocking.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\batLocking.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Roaming\batLocking.exe" MD54⤵PID:3832
-
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:5112
-
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:1612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0F3⤵PID:764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3080
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2476
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4080
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5f0f59cccd39a3694e0e6dfd44d0fa76d
SHA1fccd7911d463041e1168431df8823e4c4ea387c1
SHA25670466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401
SHA5125c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee
-
Filesize
1KB
MD54eb1592ecfd799f8b528ca4adbbaef3e
SHA1669179cc8407d3d7e5e30a8707379a3056ffb445
SHA2564d94fa0280fc0b680305be8ca83344177069577a0b06cbb63f009b898e3341bc
SHA512a3b60512ba3bb0e2d7c55e5927d548e6316a48ae1e69ef0a819550e72f023ae8b1767c6f45781e3a91e0c3c1357bc3cf344fb41f28ca89ddd13ecfee972e003e
-
Filesize
1KB
MD5aafbdb3c07cdd80320ab27b863b5437d
SHA16fd1dd650e6d5248d17a8400445b56dc2d59315b
SHA25622bc5b85f76bdfbe30f699c832183f2be1985e7106b8af86f66e1a360b7a1c17
SHA512268496f2db5b511301bb4f1088229ae94b54c905984d46c8032330020c120efe8ead7c7df214214ad34b59f039c79cec7bbaa0d6af4013d0bd99cd0f809a1f53
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
553KB
MD51ddedf0e0fa01b9d7540ab120179b615
SHA1831ff858ead130083c67dc644234493c03bd8d15
SHA256ed36597de2bb67e1923a97bdbfe53a6cd434069950ba57a5f8d8c782f5e9a37f
SHA512c963db2eac9836da4e629daba2a2a223b2dc6dbf4af18c5bde697f2e8e80bde7fcfe41ec676f2fc870d123819c07224631cf5d69f565477920d04f9c5279ffdd
-
Filesize
81KB
MD57a52b09f8b176dd42457f18c34cd37a8
SHA1871c1eb972dbd4e6836971de12d15746c9a0abc3
SHA2568d77f2ab3cdba5d51b0f89671e4ce907ce51eefdc2aec7d5aaeb418109f88568
SHA512bb8a95fadfd273293cc12b0a2dc635d37fb73e39038aa06c20b542ee5ad0ae8c5ee115ffa50e9dd63aac2095f6ad0db981ffee352277ef77127c949a639faa8f