Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Builder Wo...1).zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    62s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/01/2025, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Builder WorldWind Pro (1).zip

  • Size

    2.4MB

  • MD5

    82a0e194de7cb967c13494efa4e3f3a6

  • SHA1

    c1b8a0428538841272e57972eda61879768cfcbc

  • SHA256

    ebba736dfa26b559658df13cda55e2aef8cf744c05f817396ef1d3b17870a83e

  • SHA512

    60a85f906a0b9ef468b27b396683a5e5a5a762ae3f16e2a23e45b09657a984142ee68a1e92162c1ec3ab7c82c074ef8f642a5fea4bd8d53c551533b87b09b383

  • SSDEEP

    49152:nHqaHgIuK4sLgsAhmHa7HAIkc0UOX9Hp63nfUxR:nHqaHb6Jhn3kc0UOXSnfUR

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

dsasinject-58214.portmap.io:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Builder WorldWind Pro (1).zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2912
  • C:\Users\Admin\Desktop\Builder WorldWind Pro‌‌.exe
    "C:\Users\Admin\Desktop\Builder WorldWind Pro‌‌.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\Desktop\Builder WorldWind Pro.exe
      "C:\Users\Admin\Desktop\Builder WorldWind Pro.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2412
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3428
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
    • C:\ProgramData\csrss.exe
      "C:\ProgramData\csrss.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4204
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2472
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\csrss.exe
    Filesize

    28KB

    MD5

    4d250bcbc14b9b2076b4c651ee3b7deb

    SHA1

    f5cd7173e1797f085b2da82cfa3729e0144bc16b

    SHA256

    41a2f2ca1bdf22fcef635dba5bfd267d32c432aa2f9f00c1574465712d7a5260

    SHA512

    3c3ef5bf7ce6490864256c779493275710645b8cd6087e982b9f49cf1b76f35d1f38799e2641ba5bad00d616aac1eead7b922630795eb88d4a398964365007a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    64497dba662bee5d7ae7a3c76a72ed88

    SHA1

    edc027042b9983f13d074ba9eed8b78e55e4152e

    SHA256

    ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47

    SHA512

    25da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    add8670715a08a3924920cb86fef8852

    SHA1

    5a21cec9bfe3dfe8d96b5c270d96a43a67cb7fff

    SHA256

    143fcf85fa3e809e16e2cd75353bc18da45762f91a621dbe7f1d4980c9aeb30e

    SHA512

    c6a9d2b5d7e0193d47946758988ac4a92803c6ec6753ac054e15f046c761311f762d3312f4ba043dd6e42d3a090b3ee4bf0f5ed82a53522d75c67be23235b144

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d0a4a3b9a52b8fe3b019f6cd0ef3dad6

    SHA1

    fed70ce7834c3b97edbd078eccda1e5effa527cd

    SHA256

    21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

    SHA512

    1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    b0a85f07903eaad4aace8865ff28679f

    SHA1

    caa147464cf2e31bf9b482c3ba3c5c71951566d1

    SHA256

    c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5

    SHA512

    7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ny2trrjs.al4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    76KB

    MD5

    7c1243aac3248ae75cc2bab7bf4dfaba

    SHA1

    3dd055ef06380e5886f59b76761132c36e8b3e8f

    SHA256

    dbf81c18b8fa71de185da60a70e41f5799405e5a8331e759b399cab5353a1eda

    SHA512

    3f643f2ec6ca210247eab13abfb2e7e73e0f8621e137c9c1fedc3390fbd5129d78dba438988fa6cf70800def4f60cc2a320e8f269b2bfeaa63bade64c5a2bcbf

    Download Submit

  • C:\Users\Admin\Desktop\Builder WorldWind Pro.exe
    Filesize

    416KB

    MD5

    5e503d24ca178db83e5d931990c1baa6

    SHA1

    4873707dde8e39da9898dd324a5912d2a30482c6

    SHA256

    e0e74379954acb4d9847c0cfb63e8a4028217d859c74ad97b40504627277d16b

    SHA512

    3bd9474ee1dfc2fe2acd1c22518f10b13b938ef19fafa2fd540ca650533508f3aa66fa17cba43a70aa9eeba6b6ab4bdb5724262e869187756f5a721b38214f68

    Download Submit

  • C:\Users\Admin\Desktop\Builder WorldWind Pro‌‌.exe
    Filesize

    386KB

    MD5

    142b02b4b22c03523db3522ce6fd6b10

    SHA1

    836cd20f44621aeca77d7ec4253d1aa92695a40a

    SHA256

    aac53980d79ea8fd1358d7b6b29a0693e71bf8ad936b91d06e953e6855aab1e6

    SHA512

    849dae7774ebd950482c6a2c10000411932221ddbe4f72f266a3fd9c457894ca185214841e9de91680eb5781831ff7fcb018e9810ff81b3f616f0c45fc5eee23

    Download Submit

  • memory/1804-44-0x0000000000180000-0x000000000019A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2080-46-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2412-47-0x0000000000C50000-0x0000000000CBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2412-50-0x00000000058B0000-0x0000000005942000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2412-52-0x0000000005AA0000-0x0000000005AF6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2412-51-0x0000000005830000-0x000000000583A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2412-49-0x0000000005E30000-0x00000000063D6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2412-48-0x0000000005730000-0x00000000057CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2704-45-0x00007FFC567D0000-0x00007FFC57292000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2704-8-0x00007FFC567D0000-0x00007FFC57292000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2704-5-0x0000000000B60000-0x0000000000BC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2704-4-0x00007FFC567D3000-0x00007FFC567D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4988-58-0x000001E5E5CE0000-0x000001E5E5D02000-memory.dmp

    Filesize

    136KB

    Download