Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6f142145f7...74.exe

windows7-x64

10

6f142145f7...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe

  • Size

    49KB

  • MD5

    0b3fc6003ed631b572c3347e10ac4aca

  • SHA1

    51abe8c42abb8c2c52331bbdb99eb2fbcf18315c

  • SHA256

    6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74

  • SHA512

    3df3d20f0d96a122ffae5e54067864d8349dc0672cc24ad94dcab3ac67dec8c520b4f6f7875d75af14791180bd28f68ff4252111fe6c8a242286f9dd00bc751b

  • SSDEEP

    1536:G4TlXi94kgMLEhNkoyIWwClDVC9D2XPs9Hy:F5Xz3MYuwV9QPsZy

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Mutex

WDJjJwZM6N0epwZX

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe
    "C:\Users\Admin\AppData\Local\Temp\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74" /tr "C:\ProgramData\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:580
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74" /tr "C:\Users\Admin\AppData\Roaming\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2696
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8EF3C8F8-2ECA-4A2F-8376-6E38ECC406BE} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Roaming\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe
      C:\Users\Admin\AppData\Roaming\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Users\Admin\AppData\Roaming\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe
      C:\Users\Admin\AppData\Roaming\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74.exe
    Filesize

    49KB

    MD5

    0b3fc6003ed631b572c3347e10ac4aca

    SHA1

    51abe8c42abb8c2c52331bbdb99eb2fbcf18315c

    SHA256

    6f142145f7fe5028de2f33b56b2853347c2b4774d9fcfbec8547de1029c57f74

    SHA512

    3df3d20f0d96a122ffae5e54067864d8349dc0672cc24ad94dcab3ac67dec8c520b4f6f7875d75af14791180bd28f68ff4252111fe6c8a242286f9dd00bc751b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    66aa22d17535c96839ffbd11b9e44785

    SHA1

    d93ae9d6290f30a52bc8a612ac3dc592cd61dc5a

    SHA256

    1c0ab61c2cc1d7024c2232716b292e8f2504162882e32ee4b9ff42b72906ff6a

    SHA512

    4e4d76051f22e1852caf815f3a23fd468c2b26cbc2c62976be2b53008d843de70eb476200c48475a07801d5a65b253470a2ffe15e688cb29bd558d92bc0ef6fd

    Download Submit

  • memory/1572-33-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2456-16-0x00000000026A0000-0x00000000026A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2456-15-0x000000001B500000-0x000000001B7E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2496-8-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2496-9-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2496-7-0x00000000028F0000-0x0000000002970000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2552-0-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2552-24-0x0000000001110000-0x000000000111E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2552-25-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2552-26-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2552-2-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2552-1-0x0000000001150000-0x0000000001162000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-31-0x00000000009D0000-0x00000000009E2000-memory.dmp

    Filesize

    72KB

    Download