Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Extra Xite...V5.exe
windows7-x64
10Extra Xite...V5.exe
windows10-2004-x64
10Extra Xite...V5.exe
windows7-x64
10Extra Xite...V5.exe
windows10-2004-x64
10Extra Xite...V5.exe
windows7-x64
1Extra Xite...V5.exe
windows10-2004-x64
1Realtek HD...ce.exe
windows7-x64
10Realtek HD...ce.exe
windows10-2004-x64
10Windows Sh...st.exe
windows7-x64
10Windows Sh...st.exe
windows10-2004-x64
10Realtek HD...ce.exe
windows7-x64
10Realtek HD...ce.exe
windows10-2004-x64
10Windows Sh...st.exe
windows7-x64
10Windows Sh...st.exe
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/11/2024, 18:48
Behavioral task
behavioral1
Sample
Extra Xiters Premium V5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Extra Xiters Premium V5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Extra Xiters Premium V5.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
Extra Xiters Premium V5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Extra Xiters Premium V5.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Extra Xiters Premium V5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Realtek HD Audio Universal Service.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Realtek HD Audio Universal Service.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Windows Shell Experience Host.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Windows Shell Experience Host.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Realtek HD Audio Universal Service.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Realtek HD Audio Universal Service.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Windows Shell Experience Host.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
Windows Shell Experience Host.exe
Resource
win10v2004-20241007-en
General
-
Target
Realtek HD Audio Universal Service.exe
-
Size
40KB
-
MD5
a29cf6541896f5be39c930c3737ff80c
-
SHA1
526d9571e0368b6d02130d98af32561024fdb803
-
SHA256
75abe13c29ec2a3a864d07299830be43502cb654bc1309b20e94c786fcc38631
-
SHA512
e883bce9aabd5999ba363eeb7260dedd08e5e7099a27d6132b93e1c1f83358613c1aea34ad90656f53c36295c1fab3eda2cfa75cb5bf1048813ad586d6ba8b3b
-
SSDEEP
768:QBj78fx6MooenBjJfDUbtRFH9OKw6BOMhtL05jP:U78p6MLeBjJfIbDFH93w6BOMTkjP
Malware Config
Extracted
xworm
5.0
147.185.221.23:53638
Itj6uNzPbdGmJ8JP
-
Install_directory
%LocalAppData%
-
install_file
Realtek HD Audio Universal Service.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral7/memory/2168-1-0x00000000000E0000-0x00000000000F0000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2860 powershell.exe 2576 powershell.exe 1480 powershell.exe 2524 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.lnk Realtek HD Audio Universal Service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.lnk Realtek HD Audio Universal Service.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2860 powershell.exe 2576 powershell.exe 1480 powershell.exe 2524 powershell.exe 2168 Realtek HD Audio Universal Service.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2168 Realtek HD Audio Universal Service.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeDebugPrivilege 2524 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2168 Realtek HD Audio Universal Service.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2860 2168 Realtek HD Audio Universal Service.exe 31 PID 2168 wrote to memory of 2860 2168 Realtek HD Audio Universal Service.exe 31 PID 2168 wrote to memory of 2860 2168 Realtek HD Audio Universal Service.exe 31 PID 2168 wrote to memory of 2576 2168 Realtek HD Audio Universal Service.exe 33 PID 2168 wrote to memory of 2576 2168 Realtek HD Audio Universal Service.exe 33 PID 2168 wrote to memory of 2576 2168 Realtek HD Audio Universal Service.exe 33 PID 2168 wrote to memory of 1480 2168 Realtek HD Audio Universal Service.exe 35 PID 2168 wrote to memory of 1480 2168 Realtek HD Audio Universal Service.exe 35 PID 2168 wrote to memory of 1480 2168 Realtek HD Audio Universal Service.exe 35 PID 2168 wrote to memory of 2524 2168 Realtek HD Audio Universal Service.exe 37 PID 2168 wrote to memory of 2524 2168 Realtek HD Audio Universal Service.exe 37 PID 2168 wrote to memory of 2524 2168 Realtek HD Audio Universal Service.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD581b73080837d7c1fe21b2fd0123df197
SHA1cdf1c200be99f9821b2c039fac38d59c71627103
SHA256024cc5907069dba3392479739bfb242145e6fcfec01cd780f8e82ffb1e0781e4
SHA5124eedc0ac688c481d16fd89b32f7776a8a2524a785828eb0d1d591eb59b7b3db662942385520345bff034a566160319cfa05f6273c69f85e58407ea580b9303a2