Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

spoof test.7z

windows7-x64

10

spoof test.7z

windows10-2004-x64

1

Resubmissions

04/12/2024, 22:25

241204-2b8m1szpej 10

04/12/2024, 22:22

241204-2adq9aznfm 10

Analysis

  • max time kernel
    129s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2024, 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spoof test.7z

  • Size

    50KB

  • MD5

    2b80931dfec2265ac0357414e27497f4

  • SHA1

    d7bfec86f61e214a8b43fcdcaaf82bda5e88557a

  • SHA256

    9f83ee8c3f2263e2400f1dc667c58520a846d81b12e8d15f62e4dfeba4389b3b

  • SHA512

    cb9443487acf4de4a33deb781ef206533cf5b4095671f08dd2b5607f388a82be8478b4db86b5ceaebb6f1dcd6958cd2d09399a0acea04ecb6d9368fb94cda203

  • SSDEEP

    768:AH1u19IsbaKCa8fll6kehelKR8e1vmrnwJU2O3QLp5OYgtf8aGZqfTn:AVuXIsqaSlRehZRBF+/pip/glOcTn

Score
10/10
xwormdiscoveryexecutionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

database-recommendations.gl.at.ply.gg:17666

Attributes
  • Install_directory

    %AppData%

  • install_file

    System User.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\spoof test.7z"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC8B2F317\mapshit.bat" "
      2⤵
        PID:1196
      • C:\Users\Admin\AppData\Local\Temp\7zOC8BBFA67\mapper.exe
        "C:\Users\Admin\AppData\Local\Temp\7zOC8BBFA67\mapper.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Sets desktop wallpaper using registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOC8BBFA67\mapper.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2640
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mapper.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1864
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1412
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2976
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3036
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:275457 /prefetch:2
            4⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2904
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {0BCFD8AC-2912-48A6-8CB1-C94B60BB04D0} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
      1⤵
        PID:2524

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        c1689a4ead47b53f67515d9c9b11f7a4

        SHA1

        137e7963c10de73f40ebd15fc19ee0a129062cd9

        SHA256

        4d82d1da756f68cc2133832816f3bc87212561adcf78825608221d1bc6331f25

        SHA512

        bb0e11f5b78ee4216ab0ad84ee82df07e9789d383282ade98b5adc0cd41b9ae9ce6ed40d486b86be6494f7cce4b3a1f17ee3b547a7f0b2a4d34b3bc337623aa1

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        52dff33eed85f33a6edd6b335980f77a

        SHA1

        0ce06a010d0b154d878b0997a224dad75e938eec

        SHA256

        9c52348bb3032a68d74a73f346435f7e56e40c614b5578d4a4f1b24941e4b6d0

        SHA512

        6af850a52f6f9c2676cdd3c0237cdd2a9173bcbb5b07915fa1d1b91700c513652202f3b526c62e6f60203951ab94487221a0e100beb5267cb6ad0197773d0ab8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        f0abbc2bd18de3b6a2dd41348a7b61bb

        SHA1

        d7975459c37cec98de196561398fae9f760a75df

        SHA256

        78bba0efde3a00e2bd7670dc044014ecc381c93e61024c98cbaa69592e88b36a

        SHA512

        102ebee75ba8e844b4bbf75d68c76d0e451d9c6d0d81996c7ce59cb381f6fcd3d9de000a1c942ef0b2b8b56e099041b691b2b5c910ff739c1a61ce7c834d690b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        92f26ea39d5dfaa34277dcee58e2941b

        SHA1

        3f14e03676b35a1f3df88b148fc3b28b94bd692d

        SHA256

        4489d321a00a05a239da28f74b782d0ad60b89916d0ebfade17df28ca752274d

        SHA512

        5d2dae0861fe4632bd4efd43ca2e69361e9b2586eca35431c0d0d8439641671fde8d03dcdbf0f27ccdb31d6875636afd2a935381c6d423fd605a9c16428da7df

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        1dc78b412c4476797346818fd413be84

        SHA1

        11a4e9051d7edf687b7726ba8001316e5a20cb49

        SHA256

        471973476892012c52f8f51449ae5065e12bb7de4f1ebc6836d0138ecb21d320

        SHA512

        5221f176a5eba7cf884c7989dabaeeb13ad38a86169a44b4e7d0a8e47c0a086a9fc6402ca74b53af961f77328f4b5b1827fafdedaeb6f289b13794026fd34ffb

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        e7cd7de673666eab331f6e0935408c70

        SHA1

        dcb6ef92cdf93844b76c52ad471449887486eaf6

        SHA256

        1f9c7ee8836721fa42d39d336bd02614b2ca098ccf2a5179dd1c94bc366a12a1

        SHA512

        5f9b36114f75ac14c5dea88af079a862421518c37d2a18fc4ae994ec42c85aca0be1986b1eefbd961cb7fffbe001cef5bbd692e683bb9fe37ef94a8c26c91e1a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        b350a71597e29059d9adc0528d1144dd

        SHA1

        73d038cf1d3b3781167d87fc3cbeacb1013f148e

        SHA256

        4e0582d4634f77c0dc99827e83f44ba0bd282fe86cd228fe5435529c5986c76a

        SHA512

        3724c25621484648884aa4a45b47b6e20b6f6a52717bc7a00297aaecce634a56aa7df3210ccf0c72f6d91a168ead7d94dd4902cbc971b0abbc49bebdf1c62bb8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        c0d42204d2b7ac7c0a136141b88a60ef

        SHA1

        7fa09168e44292eb619a7f3779aecbe99612ae1b

        SHA256

        48291b7af12cbd4ca1da00a01d7558b547d34848add66b1eeb1fd285f80cb8ee

        SHA512

        082d52226976e61a67acb428fa6dc322d9ae81322c5cb514499ef1552c20403ff6a9dd3a3380073adfe9ced001d501632c8e8774d00e462f3f1d1c1f14f37ddf

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        1ad366b0f785d627962f604bc007d7ed

        SHA1

        5355d2c37156b2c9157db49b59f374fffe7c075c

        SHA256

        0c248a573994fd81fead61e032b987f9b49a6897e4f596cb5f9bf95e8db3c371

        SHA512

        c76be9f70bd4f3c9e5d236843feb4aeb53031c8c9544f7c468aa9803925daee10cc2088649f16ffef700c6d22c93ed2793db548d34170ed0e4d78b9228c083ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zOC8B2F317\mapshit.bat
        Filesize

        461B

        MD5

        b8e618e6f339b03be77b4b606a360166

        SHA1

        8b91267bb92ffb2f957aba4ddb5fff13bcc9d48b

        SHA256

        fa5ca5898c1ac8616f4a9350560aeb09c3f8070323f5843b8ddeede91a5cc428

        SHA512

        9f1ade19d6ce8e95d9ab48211e1e3595dd6c646b403dab4c5dadabcb682d97c1f46716d27215650bbc67eb47d681b30459b7b78d77cdaa452d2707a224d03354

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zOC8BBFA67\mapper.exe
        Filesize

        78KB

        MD5

        919023267a38b0b6641b26319901fddf

        SHA1

        dbd25f981353ce0f824fb441a2a0dc2441bdc8da

        SHA256

        c68421f86ca419eac8bb89fcd66b860db60ed4201c16bfa4159436bbbae9401e

        SHA512

        ece9275342a3986ef2ab60e0128ca055ea7e1352c13c05367b62e1296dbf4105d757ce0181a79888f1144f14379dc15518aac87bac81da093036ba1a243bbfbf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabD7AC.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarD86B.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        f7ca283f2e5b2c58bd1a62facad5804e

        SHA1

        67c4466bf832e2e01b57bf578de5ebfe30f02364

        SHA256

        00638f8f6ec7bb3f52aba10142fa36d822fd8f372136b48b72b54bfc7936f779

        SHA512

        14f78bb7243ee0ea433cef51f8fe04e67c84bc50b521ca28bacc49870e5e3cbce11baea736b93439a0d11f6a7749c2bf78093cec69accb51080f35e2a450ed8c

        Download Submit

      • C:\Users\Admin\Desktop\How To Decrypt My Files.html
        Filesize

        624B

        MD5

        997dd57752f8b1670d77578e978b346b

        SHA1

        c9b536bf00ac37cee6e747b1dbacdb6f8eddb0eb

        SHA256

        e5f3373efbd527f969b281aaec84ef2a7a1657e8fbb1f95d31f8a74f3b4c155c

        SHA512

        496ea318c6b338d31c4d4694c3f93c8ba496a67309b14d0e44335958b65356de68f90efdcb997626d1451e2d3b2a5227aaa61367d0d4a494d92610903c285d7d

        Download Submit

      • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
        Filesize

        16B

        MD5

        17869dbc67df2e3d232de9dbdc40767d

        SHA1

        9228b64f9436c833428e83fd1952448eb4800d93

        SHA256

        72826958043a1252c135dc654334cc89d0dbb1944fbf096b9c2134cc38ebee60

        SHA512

        d2a68df030aab44ce9ce57ce2702a47fde40464b880b833c408cbbd31d6363d36dab960011f7a0a0b626f0fefb9b82a82cda264105557e2506d75dd9b7c0884f

        Download Submit

      • memory/1864-40-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1864-39-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2640-33-0x0000000002810000-0x0000000002818000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2640-32-0x000000001B5B0000-0x000000001B892000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2644-59-0x0000000002180000-0x000000000218C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2644-57-0x00000000007D0000-0x00000000007DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2644-55-0x00000000007A0000-0x00000000007AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2644-27-0x00000000000F0000-0x000000000010A000-memory.dmp

        Filesize

        104KB

        Download