Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
18/01/2025, 02:54
250118-dd9fbs1ncr 1018/01/2025, 02:49
250118-da9a6azrcz 1018/01/2025, 02:47
250118-c9v25s1mcq 10Analysis
-
max time kernel
94s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 02:47
Behavioral task
behavioral1
Sample
Update.exe
Resource
win10v2004-20241007-en
General
-
Target
Update.exe
-
Size
61KB
-
MD5
6afe04684a757675a359e7152592e644
-
SHA1
d436a89ed573a6f5cb5d9b5f5d971cc12ac09e7b
-
SHA256
734583184759ee71d9a25e037f25e409f2f1c7adfd1927bf6838bbfb62f2195e
-
SHA512
25d29d6ceb7d2aaf57d689dba5bad64268151cad17d989b34dadb5146a10f6e15e9a424c927a453d2cdc0e78e0561c348d78e98c1250fc590420ad21b3bed94a
-
SSDEEP
1536:wmtWxjhNJeaJXi+btWeYpive5scO3yKWRC6:wPjhNwaJXi+bw3EqhO3yKWU6
Malware Config
Extracted
xworm
127.0.0.1:18889
147.185.221.25:18889
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/1100-1-0x0000000000F90000-0x0000000000FA6000-memory.dmp family_xworm -
Xworm family
-
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 1644 WINWORD.EXE 1644 WINWORD.EXE 2328 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1100 Update.exe 4860 mspaint.exe 4860 mspaint.exe 3364 mspaint.exe 3364 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1100 Update.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 1100 Update.exe 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 2328 EXCEL.EXE 4860 mspaint.exe 4860 mspaint.exe 4860 mspaint.exe 4860 mspaint.exe 3364 mspaint.exe 1976 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SyncRepair.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1644
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnpublishPublish.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2328
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResetRead.wmf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:4564
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SyncUnregister.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3364
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3656
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD55c54ee719e01654209c86c09dfe1cf21
SHA116d2c85fabb3ad83f32437233388a56deb4056df
SHA256c04ccfe6625fda78e5d2c1c9db663b8ddbecf22109d398643ca5a6f7abaa9488
SHA5124d5975bf7288fef89b876651d0adb9fbb7fcbc933efb224e5bc984aba2552841cffee08bd3a4b99c05483061e1d298038bc429dafce28b6c7c0ec77ad100b359
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD58551ebd3b621099fb27e7a8e30332f18
SHA18fcf14f2e9c7a8f5717fa4169a40fc311d7abbfb
SHA25608cb44246f5b68e6964dfa23ef202d3cad8cdc4bd5af107d48764ff8c67bf4e3
SHA512956cd35695f9c28cea0c6332f2241031ec255b2fa218a3031d31fd8454c9cd952cb0240d534ed17f5f48fd3a226eb9ee30841204b0e18f9569d9343bef303886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0252BF3E-A9E8-487C-A4D9-E96B440409F0
Filesize177KB
MD5a14f0cdffc4d503985d4789383ee6069
SHA1ef7b5f3d06df587afc92ec920c93633eee14f95b
SHA2567ab17469823d72d287528c56131380578a6c0786ac8962171a9902b1d487b558
SHA5121218368a933ac6c7d148e032fab30956ac3d6e0e0a693b5012e5b4f52a2ceae3987f8e4c1c1c43fb5008f48045c482e24a55e7aa4cdd6db1e4aa597f2aa7b2da
-
Filesize
12KB
MD565dcb9a65e402750e55768d44c3860c3
SHA121339bc41808ee79892717d81ed0a9cf1919f94e
SHA256284a4aa08aa40bb90a8ceee70e3a05d2d75d935a5a5bb0286e86e5b27384fd92
SHA512fa130378e4063e06fe42b833d99ca99883efee56a657813a0eaf287b9d057fdd3f4ae621cd012b4220c170ad37c25d6b12816c7302cd44b870e30b74bd08aa1b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD56884708b2fd29df9c182830d848db11b
SHA1c14cc82aafe7fbccc6e985693b9776efc8ff931b
SHA2568e2f228b247df521c28dabd01b4937dc269c164a5a8dd5896fd9df5407525604
SHA512b02292ea2a32f6202ca99fb403af3acf8ef335338742d79e76784fdf9a9a73edd00032e9776273eef06f494596cdbbe6558a1b1084f3ce57cb57c50783b9a98f
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD589958a545e01e3df51be40a41f2b64d4
SHA13803d3ff499ad0ee5b1622f5a0f18ad3f6917ca6
SHA2563cb38dbaa21e1d694c58a31f0003ae0124e56ebcc2ede74b833b4e428d4dd308
SHA512f4fb20470462c4dcb3d6605b77008ae8c2fe0d64627290942e27b3b4aa34b484f45d9228ad2b3ba7ec02681a5da43f1de84ab958963f9c9b85c64a2c6c6a23cc
-
Filesize
392B
MD5e32a5fdfa7649cfdcda9e35f6a03f9d4
SHA105bd41119a1176de5d45c18239995a65225d0c92
SHA256d8801f2b824fc5bd87024bc609fd08374a1d2a1e30ab11133e7c01b12e47df01
SHA512ec7c8df78c59e479039fb4778a521b8668957d983d7b5f563cf0e0f7b712f1101d343dcf1d0ac897fe1f95774c7f8c9419ab5ae52a47561aacc1913d5121cd43
-
Filesize
386B
MD553ca37f71cc8941a50dc502472b52976
SHA1023b592459bf61a6742eea366d6f17d1e6e7d17a
SHA2565c59acb879e802ea6a6c3ad3f5b3ce84cff93afd66c08f2f7cca9b259bf6f4e7
SHA512034bd2336817cf07ee67e85fa52e649a10ee56546bdbc41521c464c082eeea89f31575d5ef755484f95362098e115ae2d44e58119704dff159edb15d73f1b72c
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD539bfdabce4d44a0d7c8093d41c5d3fa5
SHA15a1bddc1d4447da2bf99f85fa15c95eb93512853
SHA2562413f4b9e992485ed492c592a3eec3056d9c8d57d3f04438884e4a8c0bfd945c
SHA5126960f16afa79f5806a996a62b988378dd94d8de1228a745f888693b99439c67d6f858a6fce5b6d87f1f942ac87c57f9e928a5cb4a196415ed28b59ef670f71f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize4KB
MD59191a3bf1e455c35b7a7d99512b4b8c7
SHA1fa26e806e96e67f168985cd12f349d9f97897945
SHA2567cee3bc7914d425480216795606dee7f1c95f776d00dab5b41acf53c49eb5327
SHA51269edeaaaa47ef34291026ad241dff63627012b272b7a81df4afb9b3cee54a069ccec9b0c8919ca849682b16ea92bd8a21ce6bde63ac0bb4c11294c81d140060e