Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/11/2024, 02:55
Static task
static1
Behavioral task
behavioral1
Sample
OrderList.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
OrderList.scr
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Quotation.scr
Resource
win7-20241010-en
General
-
Target
Quotation.scr
-
Size
945KB
-
MD5
91808cc12b1db334c458e38174207aba
-
SHA1
6a7be345db82c710c129b7bf17a9633b92398482
-
SHA256
2b68138198f01ca60ce18eb72fc8c1268691bae2409dd56ab871d465a958c1dc
-
SHA512
771784a96c5bff6fd6ebca728aa634363bf5a13a8e0f907bb76524bfa8f4131e5aef1ed680604ff9131d4c6588386a9b2758f1b0501c9bd9484d645a3982a1ed
-
SSDEEP
12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga5TiSRlHEKqEFJMr+6A:Jtb20pkaCqT5TBWgNQ7a9iS3EVE++6A
Malware Config
Extracted
xworm
3.1
69.174.99.6:7000
ZMMi52bfIGvYY0Ok
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral3/memory/1604-22-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral3/memory/1604-26-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral3/memory/1604-24-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Xworm family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fascinatress.vbs fascinatress.exe -
Executes dropped EXE 1 IoCs
pid Process 2844 fascinatress.exe -
Loads dropped DLL 1 IoCs
pid Process 2136 Quotation.scr -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral3/files/0x000700000001921f-8.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2844 set thread context of 1604 2844 fascinatress.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotation.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fascinatress.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2844 fascinatress.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1604 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2136 Quotation.scr 2136 Quotation.scr 2844 fascinatress.exe 2844 fascinatress.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2136 Quotation.scr 2136 Quotation.scr 2844 fascinatress.exe 2844 fascinatress.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2844 2136 Quotation.scr 31 PID 2136 wrote to memory of 2844 2136 Quotation.scr 31 PID 2136 wrote to memory of 2844 2136 Quotation.scr 31 PID 2136 wrote to memory of 2844 2136 Quotation.scr 31 PID 2844 wrote to memory of 1604 2844 fascinatress.exe 32 PID 2844 wrote to memory of 1604 2844 fascinatress.exe 32 PID 2844 wrote to memory of 1604 2844 fascinatress.exe 32 PID 2844 wrote to memory of 1604 2844 fascinatress.exe 32 PID 2844 wrote to memory of 1604 2844 fascinatress.exe 32 PID 2844 wrote to memory of 1604 2844 fascinatress.exe 32 PID 2844 wrote to memory of 1604 2844 fascinatress.exe 32 PID 2844 wrote to memory of 1604 2844 fascinatress.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.scr"C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\bleacher\fascinatress.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.scr" /S3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
945KB
MD591808cc12b1db334c458e38174207aba
SHA16a7be345db82c710c129b7bf17a9633b92398482
SHA2562b68138198f01ca60ce18eb72fc8c1268691bae2409dd56ab871d465a958c1dc
SHA512771784a96c5bff6fd6ebca728aa634363bf5a13a8e0f907bb76524bfa8f4131e5aef1ed680604ff9131d4c6588386a9b2758f1b0501c9bd9484d645a3982a1ed