Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

10b20d5ab6...1c.bat

windows7-x64

8

10b20d5ab6...1c.bat

windows10-2004-x64

8

13b53797e8...62.exe

windows7-x64

10

13b53797e8...62.exe

windows10-2004-x64

10

15d55e8865...ec.exe

windows7-x64

10

15d55e8865...ec.exe

windows10-2004-x64

10

1b5f4adeca...0d.exe

windows7-x64

3

1b5f4adeca...0d.exe

windows10-2004-x64

3

3dc30eca9e...04.exe

windows7-x64

10

3dc30eca9e...04.exe

windows10-2004-x64

10

56cd7a444e...40.exe

windows7-x64

3

56cd7a444e...40.exe

windows10-2004-x64

3

5ee74cad24...f9.exe

windows7-x64

10

5ee74cad24...f9.exe

windows10-2004-x64

10

5ff273f03e...43.exe

windows7-x64

10

5ff273f03e...43.exe

windows10-2004-x64

10

60b98a0907...1c.exe

windows7-x64

7

60b98a0907...1c.exe

windows10-2004-x64

10

6a91052845...3f.exe

windows7-x64

10

6a91052845...3f.exe

windows10-2004-x64

10

6c4bf8dc2f...d6.exe

windows7-x64

3

6c4bf8dc2f...d6.exe

windows10-2004-x64

3

807ebe7580...38.exe

windows7-x64

10

807ebe7580...38.exe

windows10-2004-x64

10

86abfdc360...b3.exe

windows7-x64

10

86abfdc360...b3.exe

windows10-2004-x64

10

89463c1b87...a6.exe

windows7-x64

4

89463c1b87...a6.exe

windows10-2004-x64

4

9bdc43df16...87.ps1

windows7-x64

3

9bdc43df16...87.ps1

windows10-2004-x64

10

9d11b8db73...e1.exe

windows7-x64

10

9d11b8db73...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 05:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe

  • Size

    85KB

  • MD5

    c1826ac82abf9c6d49c3bff9f8cbb31c

  • SHA1

    0c15d09f8af3e0850c97b8aece22e351229ab6bd

  • SHA256

    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43

  • SHA512

    76ada87e6b90a5a1e7622b148affd1ad89f83eef9af81f96b6d94d64ae8b4a80624b2b118a2890aca945a10b0ec12d0e6d0d4304d300e7be4cf8f70c4ebac855

  • SSDEEP

    1536:Dl+noSnLDekZPaf2vpmbl4aXmI7ufDD6ALj2TCzOgiHZnP:D8v/aev4bl4i7acoOzH1P

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

185.117.250.169:7000

66.175.239.149:7000

185.117.249.43:7000
Attributes
  • Install_directory

    %AppData%

  • install_file

    WmiPrvSE.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    "C:\Users\Admin\AppData\Local\Temp\5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1936
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B11CA824-AA76-4525-B6C4-570B4441C8B5} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe
      C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:672
    • C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe
      C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:968
    • C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe
      C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:992

Network

  • flag-us
    DNS
    ip-api.com
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 30 Dec 2024 05:44:41 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    310 B
     347 B
     5
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 185.117.250.169:7000
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    152 B
     3
  • 185.117.250.169:7000
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    152 B
     3
  • 185.117.249.43:7000
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    152 B
     3
  • 66.175.239.149:7000
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    152 B
     3
  • 66.175.239.149:7000
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    152 B
     3
  • 8.8.8.8:53
    ip-api.com
    dns
    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    77cc380895b9b040bbaf53cc2298c249

    SHA1

    82aa8d82307e482b330234376214f490d177e96a

    SHA256

    142f1307d357339366d45f0d5ee949158aa58adf39fece61bbbc741068fd779a

    SHA512

    13a36fd42a5f3cc7640c93be2f96b3aba28e99bdf808f4f4dbd85ebfc2c5fddd2113a84bc9501a3ee73c30c7c8d5a84a4cfd0847e275b334adbaaaa19011eb14

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WmiPrvSE.exe
    Filesize

    85KB

    MD5

    c1826ac82abf9c6d49c3bff9f8cbb31c

    SHA1

    0c15d09f8af3e0850c97b8aece22e351229ab6bd

    SHA256

    5ff273f03e88a8b0a1f58c85dfa28fee6f44766eb09d53c421eb770d6b965e43

    SHA512

    76ada87e6b90a5a1e7622b148affd1ad89f83eef9af81f96b6d94d64ae8b4a80624b2b118a2890aca945a10b0ec12d0e6d0d4304d300e7be4cf8f70c4ebac855

    Download Submit

  • memory/672-37-0x00000000000D0000-0x00000000000EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/968-40-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/992-42-0x0000000000D80000-0x0000000000D9C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2660-8-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2660-9-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2660-7-0x0000000002910000-0x0000000002990000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2716-15-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2716-16-0x0000000001F50000-0x0000000001F58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3024-28-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-33-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3024-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3024-1-0x0000000000F00000-0x0000000000F1C000-memory.dmp

    Filesize

    112KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.