Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    17s
  • max time network
    39s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18/11/2024, 01:29

General

  • Target

    SynapseZ Cracked V5.2/Synapse X Launcher.exe

  • Size

    67.0MB

  • MD5

    9780271fc9b17aecd71866f182dd7376

  • SHA1

    3b0c619dbb862438ec70d913674e8840eb7ca5d9

  • SHA256

    ff29b51276d46f8e3f096d2a244ba579ee8b0424ed825f7d3c6ace1ed1f4ca07

  • SHA512

    0f038d8cb1111437c06a16695fcc3623f3cea46520b022d9678c762322b80c5b9b5fec152d3a3e3c78db948ae18cde5d3e057c0ac764b6bf71955de668184a4e

  • SSDEEP

    393216:R4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2v:RKRVQxhu0P8Lq1LEvxOOx5Sl

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

week-dictionary.gl.at.ply.gg:12466

Mutex

WIHzy7HOqD8TiFlq

Attributes
  • Install_directory

    %AppData%

  • install_file

    PowerShell.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SynapseZ Cracked V5.2\Synapse X Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\SynapseZ Cracked V5.2\Synapse X Launcher.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Users\Admin\AppData\Local\Temp\TempAppbd723f48\app507ea758.exe
      C:\Users\Admin\AppData\Local\Temp\TempAppbd723f48\app507ea758.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PowerShell" /tr "C:\Users\Admin\AppData\Roaming\PowerShell.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TempAppbd723f48\app507ea758.exe

    Filesize

    34KB

    MD5

    df4465e6693e489c6db32a427bbd93ec

    SHA1

    ea8ef0ae2b517e10f934b66ebefa71e2d9007aa5

    SHA256

    0c5031bae18c7e5b294b89b4b82e30c3862d1e5e4aa5fd664d7a04451dc83847

    SHA512

    4d569c1c29adadf32ff28ba53378493189c99e6e1734e1c896e52e6df89358cbfc6525a96ae1d5cbd99a909ffb7d8e88b075674f679a448a54fef961cdc16f5d

  • memory/3632-5-0x00007FFA2FEF3000-0x00007FFA2FEF5000-memory.dmp

    Filesize

    8KB

  • memory/3632-6-0x00000000002C0000-0x00000000002CE000-memory.dmp

    Filesize

    56KB

  • memory/3632-11-0x00007FFA2FEF0000-0x00007FFA309B2000-memory.dmp

    Filesize

    10.8MB

  • memory/3632-12-0x00007FFA2FEF3000-0x00007FFA2FEF5000-memory.dmp

    Filesize

    8KB

  • memory/3632-13-0x00007FFA2FEF0000-0x00007FFA309B2000-memory.dmp

    Filesize

    10.8MB