Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
287s -
max time network
296s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/01/2025, 01:55
Behavioral task
behavioral1
Sample
Xworm-V6.1.zip
Resource
win11-20241007-en
General
-
Target
Xworm-V6.1.zip
-
Size
26.5MB
-
MD5
75b715e998c88f168728e27dc6887819
-
SHA1
2d4d3f9702c0cd8b89b1b1d61ce05aa5c4b430d1
-
SHA256
76f7a5d79b8df10dec30dc9faf6cbb6039fde1b93bd74210a61bf0943931f09d
-
SHA512
85c4be0c1ed1d8bb740d314626c572bbd2258ce324394d4c27a87c2d8aa9f9723407ec792dcfe1467cc7d3a2e40178281ac964381db6b9d748f930c0907fdcf2
-
SSDEEP
786432:3vwgbHGy+fY6RXEDguMU0DADGj7VCubuu0SVww6vZqwffx:ogbHGyehuMdT7guxV7oswXx
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3204 Xworm V6.1.exe 648 Xworm V6.1.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\system32\perfc010.dat lodctr.exe File created C:\Windows\system32\perfc011.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe File created C:\Windows\system32\perfc00A.dat lodctr.exe File created C:\Windows\system32\perfh00A.dat lodctr.exe File created C:\Windows\system32\perfc00C.dat lodctr.exe File created C:\Windows\system32\perfh010.dat lodctr.exe File created C:\Windows\system32\perfh011.dat lodctr.exe File created C:\Windows\system32\perfc007.dat lodctr.exe File created C:\Windows\system32\perfh007.dat lodctr.exe File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfh00C.dat lodctr.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2488 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2488 7zFM.exe Token: 35 2488 7zFM.exe Token: SeSecurityPrivilege 2488 7zFM.exe Token: SeSecurityPrivilege 2488 7zFM.exe Token: SeSecurityPrivilege 2488 7zFM.exe Token: SeSecurityPrivilege 2488 7zFM.exe Token: SeSecurityPrivilege 2488 7zFM.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe 2488 7zFM.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2488 wrote to memory of 3204 2488 7zFM.exe 80 PID 2488 wrote to memory of 3204 2488 7zFM.exe 80 PID 2488 wrote to memory of 1140 2488 7zFM.exe 86 PID 2488 wrote to memory of 1140 2488 7zFM.exe 86 PID 1140 wrote to memory of 3452 1140 cmd.exe 88 PID 1140 wrote to memory of 3452 1140 cmd.exe 88 PID 2488 wrote to memory of 648 2488 7zFM.exe 89 PID 2488 wrote to memory of 648 2488 7zFM.exe 89
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xworm-V6.1.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\7zO8B93D129\Xworm V6.1.exe"C:\Users\Admin\AppData\Local\Temp\7zO8B93D129\Xworm V6.1.exe"2⤵
- Executes dropped EXE
PID:3204
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO8B9F8F59\Fixer.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\system32\lodctr.exelodctr /r3⤵
- Drops file in System32 directory
PID:3452
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO8B95F379\Xworm V6.1.exe"C:\Users\Admin\AppData\Local\Temp\7zO8B95F379\Xworm V6.1.exe"2⤵
- Executes dropped EXE
PID:648
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:648
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:5108
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\97453023-fdb0-46a5-a831-68db33ebf273.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
14.9MB
MD556ccb739926a725e78a7acf9af52c4bb
SHA15b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA25690f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA5122fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
Filesize
122B
MD52dabc46ce85aaff29f22cd74ec074f86
SHA1208ae3e48d67b94cc8be7bbfd9341d373fa8a730
SHA256a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55
SHA5126a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
44KB
MD5bc3d1639f16cb93350a76b95cd59108b
SHA147f1067b694967d71af236d5e33d31cb99741f4c
SHA256004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9
SHA512fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249
-
Filesize
47KB
MD569c02ba10f3f430568e00bcb54ddf5a9
SHA18b95d298633e37c42ea5f96ac08d950973d6ee9d
SHA25662e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e
SHA51216e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e
-
Filesize
47KB
MD5391168ff06e8d68c7a6f90c1ccb088be
SHA1c3f8c12481c9d3559e8df93ade8f5bfefd271627
SHA2567f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525
SHA51271fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6
-
Filesize
46KB
MD59c127d90b405f6e4e98e60bb83285a93
SHA1358b36827fb8dbfd9f268d7278961ae3309baaa1
SHA256878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578
SHA512bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73
-
Filesize
32KB
MD550681b748a019d0096b5df4ebe1eab74
SHA10fa741b445f16f05a1984813c7b07cc66097e180
SHA25633295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a
SHA512568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e
-
Filesize
322KB
MD50845cebf933086a66e207aae57a427ee
SHA1ecf8587f451664c64e121f840f2c2f441ab2b78d
SHA2567795c8ab095783b73f1752a4f38749d7c7f1685e2260257911784c371fe02071
SHA512bd3a6fb855a163129d5c55caee9b3325eb541db43e3c606352e5825fc8c496fdef84c788fe7db5551393aef5fb802c6374a923c2d0aa072b02963d43ceaa8993
-
Filesize
310KB
MD51ad05e460c6fbb5f7b96e059a4ab6cef
SHA11c3e4e455fa0630aaa78a1d19537d5ff787960cf
SHA2560ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71
SHA512c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f
-
Filesize
360KB
MD51402add2a611322eb6f624705c8a9a4e
SHA1d08b0b5e602d4587e534cf5e9c3d04c549a5aa47
SHA2560ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb
SHA512177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f
-
Filesize
363KB
MD5d0a8d13996333367f0e1721ca8658e00
SHA1f48f432c5a0d3c425961e6ed6291ddb0f4b5a116
SHA25668a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9
SHA5128a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4
-
Filesize
353KB
MD5a5389200f9bbc7be1276d74ccd2939b4
SHA18d6f17c7d36f686e727b6e7b3a62812297228943
SHA256494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087
SHA512fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92
-
Filesize
158KB
MD541f2dbe6f02b3bb9802d60f10b4ef7a2
SHA1f1b03d28e5be3db3341f3a399d1cc887fe8da794
SHA256eca01d5405d7e8af92ea60f888f891415ea2e1e6484caff15cbaf5a645700db2
SHA5121c7b85e12050d670d48121e7670e1dab787e0a0b134e0ab314dc571c3969d0f9652ff76666bb433aac5886ca532404963a3041a1d4b4352e3051c838965fd3b1