Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2024, 06:46

General

  • Target

    Api-AutoUpdaterV2.exe

  • Size

    87KB

  • MD5

    9f9e3e562c3ace91fd36c7d9b49c56a7

  • SHA1

    32317350629c0591b49726ad71ab49e12b208918

  • SHA256

    c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

  • SHA512

    8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

  • SSDEEP

    1536:CLVnqRcrCwNlhr/CbCRSCpv1ZLFNxdlub5mUnaC9UWGIiEdrRFbw0I5oKV+Uq4Q3:CslcCbCRBnFNblub5mUavWGAfFbwVVTQ

Malware Config

Extracted

Family

xworm

C2

job-moore.gl.at.ply.gg:49404

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe
    "C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Api-AutoUpdaterV2" /tr "C:\ProgramData\Api-AutoUpdaterV2.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4020
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3548
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4468
  • C:\ProgramData\Api-AutoUpdaterV2.exe
    C:\ProgramData\Api-AutoUpdaterV2.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:224
  • C:\ProgramData\WindowsDefender
    C:\ProgramData\WindowsDefender
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3024
  • C:\ProgramData\Api-AutoUpdaterV2.exe
    C:\ProgramData\Api-AutoUpdaterV2.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1736
  • C:\ProgramData\WindowsDefender
    C:\ProgramData\WindowsDefender
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\WindowsDefender

    Filesize

    87KB

    MD5

    9f9e3e562c3ace91fd36c7d9b49c56a7

    SHA1

    32317350629c0591b49726ad71ab49e12b208918

    SHA256

    c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

    SHA512

    8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Api-AutoUpdaterV2.exe.log

    Filesize

    1KB

    MD5

    3982d6d16fd43ae609fd495bb33433a2

    SHA1

    6c33cd681fdfd9a844a3128602455a768e348765

    SHA256

    9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

    SHA512

    4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    71fa55c67a762ba70e40011153e19b3c

    SHA1

    a36d2bb4802a8ec7db1a68de5f0c3d6007987492

    SHA256

    b8be6896ca89d3ebe9ee8a94e3407483f4750badaf7fa33526817cfc926dc291

    SHA512

    32760af7c05e20fec8cbddf56c2df544a69335f930f1d313cd1fdceaa90ed2afe81e54ac1b6770097d6f5ca5f30955f95970171a453579aa19239a17aaefe47f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    432507558b904755313d5b27a3dc271a

    SHA1

    c5f1e5c3a723f83080c38f987b289e6b08eafd70

    SHA256

    d037ed26ad6876ecaa84eaddff658fc90fa5c2e3a83822f140e11c30b6f61a07

    SHA512

    7ee8989467bd7216417600ac44244fea7249061a515396ae5860cad37b1e0167a28387b02d6e2e1dbd140e9e51fee98c6f36aa0ad559137204923374de1f5d1f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    34f595487e6bfd1d11c7de88ee50356a

    SHA1

    4caad088c15766cc0fa1f42009260e9a02f953bb

    SHA256

    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

    SHA512

    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    3b444d3f0ddea49d84cc7b3972abe0e6

    SHA1

    0a896b3808e68d5d72c2655621f43b0b2c65ae02

    SHA256

    ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

    SHA512

    eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    15dde0683cd1ca19785d7262f554ba93

    SHA1

    d039c577e438546d10ac64837b05da480d06bf69

    SHA256

    d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

    SHA512

    57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    10890cda4b6eab618e926c4118ab0647

    SHA1

    1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

    SHA256

    00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

    SHA512

    a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgehvokh.1uc.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk

    Filesize

    688B

    MD5

    92fbf90243203606fab1313b3b50735c

    SHA1

    5ed66fbc3d5c9ff01c8924c54cb65f3b6f438709

    SHA256

    cfc59b0078aeb071cdbda88e9f78dd647b9cf741682b6e302b57805b06fd40a0

    SHA512

    714f42887bf6dd66055a8f537cd9e809cf2957dcfbbee2941031141ac144883309ede96cc7671a49053202b6258825c86d856de9e176a2f5884fff31ec3e66bd

  • memory/2052-18-0x00007FF8FC770000-0x00007FF8FD231000-memory.dmp

    Filesize

    10.8MB

  • memory/2052-15-0x00007FF8FC770000-0x00007FF8FD231000-memory.dmp

    Filesize

    10.8MB

  • memory/2052-14-0x00007FF8FC770000-0x00007FF8FD231000-memory.dmp

    Filesize

    10.8MB

  • memory/2052-13-0x00000216B98C0000-0x00000216B98E2000-memory.dmp

    Filesize

    136KB

  • memory/2052-12-0x00007FF8FC770000-0x00007FF8FD231000-memory.dmp

    Filesize

    10.8MB

  • memory/2380-55-0x00007FF8FC770000-0x00007FF8FD231000-memory.dmp

    Filesize

    10.8MB

  • memory/2380-0-0x00007FF8FC773000-0x00007FF8FC775000-memory.dmp

    Filesize

    8KB

  • memory/2380-44-0x00007FF8FC773000-0x00007FF8FC775000-memory.dmp

    Filesize

    8KB

  • memory/2380-1-0x0000000000A70000-0x0000000000A8C000-memory.dmp

    Filesize

    112KB

  • memory/2380-2-0x00007FF8FC770000-0x00007FF8FD231000-memory.dmp

    Filesize

    10.8MB

  • memory/2380-43-0x000000001CF10000-0x000000001CF26000-memory.dmp

    Filesize

    88KB

  • memory/4468-104-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-105-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-103-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-102-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-101-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-100-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-99-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-93-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-94-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB

  • memory/4468-95-0x000002133BDA0000-0x000002133BDA1000-memory.dmp

    Filesize

    4KB