Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    9s
  • max time network
    8s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 22:34

General

  • Target

    XWorm/XWorm 5.6.exe

  • Size

    40KB

  • MD5

    496c3225443deab6949914cd224046f4

  • SHA1

    18b75bbac53042d66ccddb565e3a5a8547cc563f

  • SHA256

    875d88c284b312b7858c2fd2b683036c16f9f914bce35ca8fa87ccfb2db202be

  • SHA512

    2d7c2436244bd5d5908cdae5ec7dae1ef10eae421204c48dfcce77162d0b8a3fb90a6a9acfc9a310d30b241b62b0e79a7464503fff873cf73f331b8d20bd9dec

  • SSDEEP

    768:CNZ4ZV7QMND9Pf7PnDPItE9/JF5Py9Ovzf6SOMhS33iP:My7Qo1TPnDP5xFs9C76SOMIW

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:55967

ca-assessing.gl.at.ply.gg:55967

Mutex

0VAbVWRVWwPHtkmk

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm 5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm 5.6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm\XWorm 5.6.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm 5.6.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ayo'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ayo'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    948d91e7dec070204f76e821d5d2cdbf

    SHA1

    873300c067f1ce10a7b7bf017dedefc354700622

    SHA256

    34e969c8ba79732daf9636195f26148d3ec632cf327181498e46453748188284

    SHA512

    92e401e74c1ce51edc34e28be2cd7e020ce6ec84f9d86f9d9fc4fa4674abbb6a0dd241889373f846b151d855ace6fed68641831c4731afb9596a9df04876060f

  • memory/2328-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

    Filesize

    4KB

  • memory/2328-1-0x0000000000F30000-0x0000000000F40000-memory.dmp

    Filesize

    64KB

  • memory/2328-2-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

  • memory/2328-28-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

    Filesize

    4KB

  • memory/2740-16-0x0000000002820000-0x0000000002828000-memory.dmp

    Filesize

    32KB

  • memory/2740-15-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

    Filesize

    2.9MB

  • memory/2808-7-0x0000000002DB0000-0x0000000002E30000-memory.dmp

    Filesize

    512KB

  • memory/2808-8-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

  • memory/2808-9-0x0000000001D90000-0x0000000001D98000-memory.dmp

    Filesize

    32KB