Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2024, 18:48

General

  • Target

    Windows Shell Experience Host.exe

  • Size

    86KB

  • MD5

    17f122079462e212871a1e2eb20eaff9

  • SHA1

    349e4b54323acce835916a2bbe40dc9c5d30931f

  • SHA256

    f483197df60b8767d23fa820efaab0c6bcc3a4b02ebee3c8f1290ef699f6697e

  • SHA512

    95548cb30e9e45c4024be181253200d2188b622754158f6268fa09e41327dbb8468399a1b5ddd9d868413638bf1b9b18f6814586530f2c6a0a6cbd6311234e94

  • SSDEEP

    768:NG9nICDiZGhCMhOB0s1SbiFG9Ox7h86BOMhUL02dC+IHZK:NgICDiZQRhVeFG9e7h86BOM+Nd6c

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.20:65300

Mutex

RMe1pa1UgjNcB2Un

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Shell Experience Host.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Shell Experience Host.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Shell Experience Host.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Shell Experience Host.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Shell Experience Host.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    0b89800a733741228c4d4ac89db55af0

    SHA1

    2ee0ba86f2a30c84b0fbd8063a367bcda5f2cd58

    SHA256

    478bbdd91f9d4642ffdeb8caebcf4e66b6f40bdf0e95f4c19f4bf60fd77e4d50

    SHA512

    1e710b7e6e7817892dbc7691dd140b9d52befffc82a2bb921414fa25875256d7ff6cc6f245ba3045fc06023da21d9fc6af4fe67a7dd9b851e4107631af8a30b4

  • memory/2252-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

    Filesize

    4KB

  • memory/2252-1-0x0000000000D10000-0x0000000000D2A000-memory.dmp

    Filesize

    104KB

  • memory/2252-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

    Filesize

    9.9MB

  • memory/2252-17-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

    Filesize

    4KB

  • memory/2252-33-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

    Filesize

    9.9MB

  • memory/2568-15-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

    Filesize

    2.9MB

  • memory/2568-16-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

    Filesize

    32KB

  • memory/2868-7-0x0000000002B70000-0x0000000002BF0000-memory.dmp

    Filesize

    512KB

  • memory/2868-8-0x000000001B560000-0x000000001B842000-memory.dmp

    Filesize

    2.9MB

  • memory/2868-9-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB