Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Firefox In...d).exe

windows7-x64

Firefox In...d).exe

windows10-2004-x64

Firefox In...d).exe

windows10-ltsc 2021-x64

Firefox In...d).exe

windows11-21h2-x64

Resubmissions

13/01/2025, 01:00 UTC

250113-bcnq5axqbt 10

09/01/2025, 12:16 UTC

250109-pfhwyazjhs 10

06/01/2025, 14:21 UTC

250106-rpb6vs1kgr 10

02/01/2025, 20:47 UTC

250102-zlagvsvpdv 10

02/01/2025, 20:45 UTC

250102-zjvd9ayjar 10

Analysis

  • max time kernel
    423s
  • max time network
    428s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2025, 12:16 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Firefox Installer (ratted).exe

  • Size

    170KB

  • MD5

    200eb10c73336127006740ae06003933

  • SHA1

    32ef06528018d4f9fc8da3a7e7e07363b3a143f4

  • SHA256

    b46624ea261bec807dc1f93431ab3156450646976443c27322a7a9c4eec5e5f0

  • SHA512

    026eb0e018f25449f664dbc2655cfb5c360fd60a928fec344bd31b3cefa01a3fcce4dd1fc87b3aabce7557db57cb1247a1984c69b3ecb00d83f388fd6b09a0ce

  • SSDEEP

    1536:4ig4nFL9z2BOwVCMs6se7llqn17KineXd2wVKtivEYoNRh8RX9EIKhI49No:5zFL9zWOw7sgbcUieNJqKoPC5+Lm

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

109.231.31.129:2021

Mutex

H7HNKbba3h7eEPOa

Attributes
  • Install_directory

    %AppData%

  • install_file

    FlrefoxUpdate.exe

aes.plain
1
zHSQlSCgdEuMRL3acPSBPw==

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Firefox Installer (ratted).exe
    "C:\Users\Admin\AppData\Local\Temp\Firefox Installer (ratted).exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FlrefoxUpdate" /tr "C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1444
    • C:\Windows\SYSTEM32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1432
  • C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3696
  • C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4412
  • C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2692
  • C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4672
  • C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2932
  • C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2948
  • C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2736
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa399f055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4952

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    129.31.231.109.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    129.31.231.109.in-addr.arpa
    IN PTR
    Response
    129.31.231.109.in-addr.arpa
    IN PTR
    10923131129kobapl
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.16.208.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.16.208.104.in-addr.arpa
    IN PTR
    Response
  • 109.231.31.129:2021
    Firefox Installer (ratted).exe
    6.5kB
     4.7kB
     91
    90
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    129.31.231.109.in-addr.arpa
    dns
    73 B
     109 B
     1
    1

    DNS Request

    129.31.231.109.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    95.16.208.104.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    95.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FlrefoxUpdate.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FlrefoxUpdate.exe
    Filesize

    170KB

    MD5

    200eb10c73336127006740ae06003933

    SHA1

    32ef06528018d4f9fc8da3a7e7e07363b3a143f4

    SHA256

    b46624ea261bec807dc1f93431ab3156450646976443c27322a7a9c4eec5e5f0

    SHA512

    026eb0e018f25449f664dbc2655cfb5c360fd60a928fec344bd31b3cefa01a3fcce4dd1fc87b3aabce7557db57cb1247a1984c69b3ecb00d83f388fd6b09a0ce

    Download Submit

  • memory/2796-0-0x00007FFA29163000-0x00007FFA29165000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2796-1-0x0000000000C40000-0x0000000000C70000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2796-3-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2796-4-0x00007FFA29163000-0x00007FFA29165000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2796-5-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2796-18-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3696-8-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3696-10-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.