Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
9s -
max time network
8s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 22:34
Behavioral task
behavioral1
Sample
XWorm/XWorm 5.6.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
XWorm/XWorm 5.6.exe
Resource
win10v2004-20241007-en
General
-
Target
XWorm/XWorm 5.6.exe
-
Size
40KB
-
MD5
496c3225443deab6949914cd224046f4
-
SHA1
18b75bbac53042d66ccddb565e3a5a8547cc563f
-
SHA256
875d88c284b312b7858c2fd2b683036c16f9f914bce35ca8fa87ccfb2db202be
-
SHA512
2d7c2436244bd5d5908cdae5ec7dae1ef10eae421204c48dfcce77162d0b8a3fb90a6a9acfc9a310d30b241b62b0e79a7464503fff873cf73f331b8d20bd9dec
-
SSDEEP
768:CNZ4ZV7QMND9Pf7PnDPItE9/JF5Py9Ovzf6SOMhS33iP:My7Qo1TPnDP5xFs9C76SOMIW
Malware Config
Extracted
xworm
5.0
127.0.0.1:55967
ca-assessing.gl.at.ply.gg:55967
0VAbVWRVWwPHtkmk
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2328-1-0x0000000000F30000-0x0000000000F40000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2808 powershell.exe 2740 powershell.exe 2672 powershell.exe 1336 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ayo = "C:\\Users\\Admin\\AppData\\Roaming\\ayo" XWorm 5.6.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2808 powershell.exe 2740 powershell.exe 2672 powershell.exe 1336 powershell.exe 2328 XWorm 5.6.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2328 XWorm 5.6.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 1336 powershell.exe Token: SeDebugPrivilege 2328 XWorm 5.6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2328 XWorm 5.6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2808 2328 XWorm 5.6.exe 31 PID 2328 wrote to memory of 2808 2328 XWorm 5.6.exe 31 PID 2328 wrote to memory of 2808 2328 XWorm 5.6.exe 31 PID 2328 wrote to memory of 2740 2328 XWorm 5.6.exe 33 PID 2328 wrote to memory of 2740 2328 XWorm 5.6.exe 33 PID 2328 wrote to memory of 2740 2328 XWorm 5.6.exe 33 PID 2328 wrote to memory of 2672 2328 XWorm 5.6.exe 35 PID 2328 wrote to memory of 2672 2328 XWorm 5.6.exe 35 PID 2328 wrote to memory of 2672 2328 XWorm 5.6.exe 35 PID 2328 wrote to memory of 1336 2328 XWorm 5.6.exe 37 PID 2328 wrote to memory of 1336 2328 XWorm 5.6.exe 37 PID 2328 wrote to memory of 1336 2328 XWorm 5.6.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm 5.6.exe"C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm 5.6.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm 5.6.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm 5.6.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ayo'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ayo'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5948d91e7dec070204f76e821d5d2cdbf
SHA1873300c067f1ce10a7b7bf017dedefc354700622
SHA25634e969c8ba79732daf9636195f26148d3ec632cf327181498e46453748188284
SHA51292e401e74c1ce51edc34e28be2cd7e020ce6ec84f9d86f9d9fc4fa4674abbb6a0dd241889373f846b151d855ace6fed68641831c4731afb9596a9df04876060f