Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Extra Xite...V5.exe
windows7-x64
10Extra Xite...V5.exe
windows10-2004-x64
10Extra Xite...V5.exe
windows7-x64
10Extra Xite...V5.exe
windows10-2004-x64
10Extra Xite...V5.exe
windows7-x64
1Extra Xite...V5.exe
windows10-2004-x64
1Realtek HD...ce.exe
windows7-x64
10Realtek HD...ce.exe
windows10-2004-x64
10Windows Sh...st.exe
windows7-x64
10Windows Sh...st.exe
windows10-2004-x64
10Realtek HD...ce.exe
windows7-x64
10Realtek HD...ce.exe
windows10-2004-x64
10Windows Sh...st.exe
windows7-x64
10Windows Sh...st.exe
windows10-2004-x64
10Analysis
-
max time kernel
129s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18/11/2024, 18:48
Behavioral task
behavioral1
Sample
Extra Xiters Premium V5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Extra Xiters Premium V5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Extra Xiters Premium V5.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
Extra Xiters Premium V5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Extra Xiters Premium V5.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Extra Xiters Premium V5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Realtek HD Audio Universal Service.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Realtek HD Audio Universal Service.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Windows Shell Experience Host.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Windows Shell Experience Host.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Realtek HD Audio Universal Service.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Realtek HD Audio Universal Service.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Windows Shell Experience Host.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
Windows Shell Experience Host.exe
Resource
win10v2004-20241007-en
General
-
Target
Windows Shell Experience Host.exe
-
Size
86KB
-
MD5
17f122079462e212871a1e2eb20eaff9
-
SHA1
349e4b54323acce835916a2bbe40dc9c5d30931f
-
SHA256
f483197df60b8767d23fa820efaab0c6bcc3a4b02ebee3c8f1290ef699f6697e
-
SHA512
95548cb30e9e45c4024be181253200d2188b622754158f6268fa09e41327dbb8468399a1b5ddd9d868413638bf1b9b18f6814586530f2c6a0a6cbd6311234e94
-
SSDEEP
768:NG9nICDiZGhCMhOB0s1SbiFG9Ox7h86BOMhUL02dC+IHZK:NgICDiZQRhVeFG9e7h86BOM+Nd6c
Malware Config
Extracted
xworm
5.0
147.185.221.20:65300
RMe1pa1UgjNcB2Un
-
Install_directory
%AppData%
-
install_file
Windows Shell Experience Host.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral13/memory/2252-1-0x0000000000D10000-0x0000000000D2A000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2868 powershell.exe 2568 powershell.exe 1160 powershell.exe 2992 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Shell Experience Host.lnk Windows Shell Experience Host.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Shell Experience Host.lnk Windows Shell Experience Host.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Shell Experience Host = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Shell Experience Host.exe" Windows Shell Experience Host.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2868 powershell.exe 2568 powershell.exe 1160 powershell.exe 2992 powershell.exe 2252 Windows Shell Experience Host.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2252 Windows Shell Experience Host.exe Token: SeDebugPrivilege 2868 powershell.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 1160 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2252 Windows Shell Experience Host.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2868 2252 Windows Shell Experience Host.exe 31 PID 2252 wrote to memory of 2868 2252 Windows Shell Experience Host.exe 31 PID 2252 wrote to memory of 2868 2252 Windows Shell Experience Host.exe 31 PID 2252 wrote to memory of 2568 2252 Windows Shell Experience Host.exe 33 PID 2252 wrote to memory of 2568 2252 Windows Shell Experience Host.exe 33 PID 2252 wrote to memory of 2568 2252 Windows Shell Experience Host.exe 33 PID 2252 wrote to memory of 1160 2252 Windows Shell Experience Host.exe 35 PID 2252 wrote to memory of 1160 2252 Windows Shell Experience Host.exe 35 PID 2252 wrote to memory of 1160 2252 Windows Shell Experience Host.exe 35 PID 2252 wrote to memory of 2992 2252 Windows Shell Experience Host.exe 37 PID 2252 wrote to memory of 2992 2252 Windows Shell Experience Host.exe 37 PID 2252 wrote to memory of 2992 2252 Windows Shell Experience Host.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe"C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Shell Experience Host.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Shell Experience Host.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Shell Experience Host.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b89800a733741228c4d4ac89db55af0
SHA12ee0ba86f2a30c84b0fbd8063a367bcda5f2cd58
SHA256478bbdd91f9d4642ffdeb8caebcf4e66b6f40bdf0e95f4c19f4bf60fd77e4d50
SHA5121e710b7e6e7817892dbc7691dd140b9d52befffc82a2bb921414fa25875256d7ff6cc6f245ba3045fc06023da21d9fc6af4fe67a7dd9b851e4107631af8a30b4