Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
Api-AutoUpdaterV2.exe
Resource
win10v2004-20241007-en
General
-
Target
Api-AutoUpdaterV2.exe
-
Size
87KB
-
MD5
9f9e3e562c3ace91fd36c7d9b49c56a7
-
SHA1
32317350629c0591b49726ad71ab49e12b208918
-
SHA256
c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971
-
SHA512
8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d
-
SSDEEP
1536:CLVnqRcrCwNlhr/CbCRSCpv1ZLFNxdlub5mUnaC9UWGIiEdrRFbw0I5oKV+Uq4Q3:CslcCbCRBnFNblub5mUavWGAfFbwVVTQ
Malware Config
Extracted
xworm
job-moore.gl.at.ply.gg:49404
-
Install_directory
%ProgramData%
-
install_file
Helper.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2380-43-0x000000001CF10000-0x000000001CF26000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2056 powershell.exe 4020 powershell.exe 2052 powershell.exe 4216 powershell.exe 2828 powershell.exe 3316 powershell.exe 2940 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Api-AutoUpdaterV2.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk Api-AutoUpdaterV2.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk Api-AutoUpdaterV2.exe -
Executes dropped EXE 4 IoCs
pid Process 224 Api-AutoUpdaterV2.exe 3024 WindowsDefender 1736 Api-AutoUpdaterV2.exe 4052 WindowsDefender -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\ProgramData\\WindowsDefender" Api-AutoUpdaterV2.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4468 schtasks.exe 3548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2052 powershell.exe 2052 powershell.exe 4216 powershell.exe 4216 powershell.exe 2828 powershell.exe 2828 powershell.exe 3316 powershell.exe 3316 powershell.exe 2940 powershell.exe 2940 powershell.exe 2056 powershell.exe 2056 powershell.exe 2056 powershell.exe 4020 powershell.exe 4020 powershell.exe 4020 powershell.exe 2380 Api-AutoUpdaterV2.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4468 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2380 Api-AutoUpdaterV2.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 4216 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 3316 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2056 powershell.exe Token: SeDebugPrivilege 4020 powershell.exe Token: SeDebugPrivilege 2380 Api-AutoUpdaterV2.exe Token: SeDebugPrivilege 4468 taskmgr.exe Token: SeSystemProfilePrivilege 4468 taskmgr.exe Token: SeCreateGlobalPrivilege 4468 taskmgr.exe Token: SeDebugPrivilege 224 Api-AutoUpdaterV2.exe Token: SeDebugPrivilege 3024 WindowsDefender Token: SeDebugPrivilege 1736 Api-AutoUpdaterV2.exe Token: SeDebugPrivilege 4052 WindowsDefender -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe 4468 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2380 Api-AutoUpdaterV2.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2052 2380 Api-AutoUpdaterV2.exe 91 PID 2380 wrote to memory of 2052 2380 Api-AutoUpdaterV2.exe 91 PID 2380 wrote to memory of 4216 2380 Api-AutoUpdaterV2.exe 94 PID 2380 wrote to memory of 4216 2380 Api-AutoUpdaterV2.exe 94 PID 2380 wrote to memory of 2828 2380 Api-AutoUpdaterV2.exe 96 PID 2380 wrote to memory of 2828 2380 Api-AutoUpdaterV2.exe 96 PID 2380 wrote to memory of 4468 2380 Api-AutoUpdaterV2.exe 98 PID 2380 wrote to memory of 4468 2380 Api-AutoUpdaterV2.exe 98 PID 2380 wrote to memory of 3316 2380 Api-AutoUpdaterV2.exe 102 PID 2380 wrote to memory of 3316 2380 Api-AutoUpdaterV2.exe 102 PID 2380 wrote to memory of 2940 2380 Api-AutoUpdaterV2.exe 104 PID 2380 wrote to memory of 2940 2380 Api-AutoUpdaterV2.exe 104 PID 2380 wrote to memory of 2056 2380 Api-AutoUpdaterV2.exe 109 PID 2380 wrote to memory of 2056 2380 Api-AutoUpdaterV2.exe 109 PID 2380 wrote to memory of 4020 2380 Api-AutoUpdaterV2.exe 111 PID 2380 wrote to memory of 4020 2380 Api-AutoUpdaterV2.exe 111 PID 2380 wrote to memory of 3548 2380 Api-AutoUpdaterV2.exe 114 PID 2380 wrote to memory of 3548 2380 Api-AutoUpdaterV2.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe"C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Api-AutoUpdaterV2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Api-AutoUpdaterV2" /tr "C:\ProgramData\Api-AutoUpdaterV2.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3548
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4468
-
C:\ProgramData\Api-AutoUpdaterV2.exeC:\ProgramData\Api-AutoUpdaterV2.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224
-
C:\ProgramData\WindowsDefenderC:\ProgramData\WindowsDefender1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
C:\ProgramData\Api-AutoUpdaterV2.exeC:\ProgramData\Api-AutoUpdaterV2.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
C:\ProgramData\WindowsDefenderC:\ProgramData\WindowsDefender1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD59f9e3e562c3ace91fd36c7d9b49c56a7
SHA132317350629c0591b49726ad71ab49e12b208918
SHA256c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971
SHA5128a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d
-
Filesize
1KB
MD53982d6d16fd43ae609fd495bb33433a2
SHA16c33cd681fdfd9a844a3128602455a768e348765
SHA2569a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9
SHA5124b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa
-
Filesize
2KB
MD571fa55c67a762ba70e40011153e19b3c
SHA1a36d2bb4802a8ec7db1a68de5f0c3d6007987492
SHA256b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291
SHA51232760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f
-
Filesize
944B
MD5432507558b904755313d5b27a3dc271a
SHA1c5f1e5c3a723f83080c38f987b289e6b08eafd70
SHA256d037ed26ad6876ecaa84eaddff658fc90fa5c2e3a83822f140e11c30b6f61a07
SHA5127ee8989467bd7216417600ac44244fea7249061a515396ae5860cad37b1e0167a28387b02d6e2e1dbd140e9e51fee98c6f36aa0ad559137204923374de1f5d1f
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD53b444d3f0ddea49d84cc7b3972abe0e6
SHA10a896b3808e68d5d72c2655621f43b0b2c65ae02
SHA256ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74
SHA512eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
688B
MD592fbf90243203606fab1313b3b50735c
SHA15ed66fbc3d5c9ff01c8924c54cb65f3b6f438709
SHA256cfc59b0078aeb071cdbda88e9f78dd647b9cf741682b6e302b57805b06fd40a0
SHA512714f42887bf6dd66055a8f537cd9e809cf2957dcfbbee2941031141ac144883309ede96cc7671a49053202b6258825c86d856de9e176a2f5884fff31ec3e66bd