Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    30s
  • max time network
    31s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    16/11/2024, 23:23

General

  • Target

    Discord.exe

  • Size

    923KB

  • MD5

    dde9c5a240d1467bbeb73bf9800e2451

  • SHA1

    84da3914545cbca748465892deb5c45fe7849ddf

  • SHA256

    af652fa448221ed08ba75eb68ad1ba894e4d3bafdbfa4569eef4704fd14c76c7

  • SHA512

    ce85de90686c7e64fe90201428993c02461729428a48937961ea6fc09fc7e5e65b13acdeaae54cbdd65ebdf5b93e769ef16020d96094ca498e1699a91c240e77

  • SSDEEP

    12288:RiuHvJKVze1rxIH8P2ttPfDBQW6dmlgNlHDCJ9dZay:pPJKzyoUctPLGW6dmlgNljCr1

Malware Config

Extracted

Family

xworm

C2

45.141.27.91:7777

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Discord.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Roaming\batLocking.exe
      "C:\Users\Admin\AppData\Roaming\batLocking.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3268
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\batLocking.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Roaming\batLocking.exe" MD5
          4⤵
            PID:3832
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:5112
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:1612
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c color 0F
              3⤵
                PID:764
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                3⤵
                  PID:1976
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cls
                  3⤵
                    PID:3080
                • C:\Users\Admin\AppData\Roaming\svchost.exe
                  "C:\Users\Admin\AppData\Roaming\svchost.exe"
                  2⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2160
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2052
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2648
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4068
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2476
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4080

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                Filesize

                3KB

                MD5

                3eb3833f769dd890afc295b977eab4b4

                SHA1

                e857649b037939602c72ad003e5d3698695f436f

                SHA256

                c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                SHA512

                c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                f0f59cccd39a3694e0e6dfd44d0fa76d

                SHA1

                fccd7911d463041e1168431df8823e4c4ea387c1

                SHA256

                70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

                SHA512

                5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                4eb1592ecfd799f8b528ca4adbbaef3e

                SHA1

                669179cc8407d3d7e5e30a8707379a3056ffb445

                SHA256

                4d94fa0280fc0b680305be8ca83344177069577a0b06cbb63f009b898e3341bc

                SHA512

                a3b60512ba3bb0e2d7c55e5927d548e6316a48ae1e69ef0a819550e72f023ae8b1767c6f45781e3a91e0c3c1357bc3cf344fb41f28ca89ddd13ecfee972e003e

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                aafbdb3c07cdd80320ab27b863b5437d

                SHA1

                6fd1dd650e6d5248d17a8400445b56dc2d59315b

                SHA256

                22bc5b85f76bdfbe30f699c832183f2be1985e7106b8af86f66e1a360b7a1c17

                SHA512

                268496f2db5b511301bb4f1088229ae94b54c905984d46c8032330020c120efe8ead7c7df214214ad34b59f039c79cec7bbaa0d6af4013d0bd99cd0f809a1f53

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v11wqitx.e5x.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Roaming\batLocking.exe

                Filesize

                553KB

                MD5

                1ddedf0e0fa01b9d7540ab120179b615

                SHA1

                831ff858ead130083c67dc644234493c03bd8d15

                SHA256

                ed36597de2bb67e1923a97bdbfe53a6cd434069950ba57a5f8d8c782f5e9a37f

                SHA512

                c963db2eac9836da4e629daba2a2a223b2dc6dbf4af18c5bde697f2e8e80bde7fcfe41ec676f2fc870d123819c07224631cf5d69f565477920d04f9c5279ffdd

              • C:\Users\Admin\AppData\Roaming\svchost.exe

                Filesize

                81KB

                MD5

                7a52b09f8b176dd42457f18c34cd37a8

                SHA1

                871c1eb972dbd4e6836971de12d15746c9a0abc3

                SHA256

                8d77f2ab3cdba5d51b0f89671e4ce907ce51eefdc2aec7d5aaeb418109f88568

                SHA512

                bb8a95fadfd273293cc12b0a2dc635d37fb73e39038aa06c20b542ee5ad0ae8c5ee115ffa50e9dd63aac2095f6ad0db981ffee352277ef77127c949a639faa8f

              • memory/2052-30-0x0000022CD6280000-0x0000022CD62A2000-memory.dmp

                Filesize

                136KB

              • memory/2160-29-0x00007FFE060D0000-0x00007FFE06B92000-memory.dmp

                Filesize

                10.8MB

              • memory/2160-27-0x0000000000070000-0x000000000008A000-memory.dmp

                Filesize

                104KB

              • memory/2160-92-0x00007FFE060D0000-0x00007FFE06B92000-memory.dmp

                Filesize

                10.8MB

              • memory/2512-0-0x00007FFE060D3000-0x00007FFE060D5000-memory.dmp

                Filesize

                8KB

              • memory/2512-1-0x0000000000710000-0x00000000007FE000-memory.dmp

                Filesize

                952KB