Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

nigger.exe

windows7-x64

10

nigger.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    887s
  • max time network
    887s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nigger.exe

  • Size

    64KB

  • MD5

    6f8774e5839ed8ed21449f097122f0d9

  • SHA1

    666790bd8f79903fcb4788ed3ef6552bf2d7c340

  • SHA256

    978edd60b16702006e25e55cbcc1e69c112e451dd19c649825980fb98019cec9

  • SHA512

    9d371e4b2ce6c356a57a19fd1b070e67ccbc37fc206d1d8e6c3f2b444065d64664420d64f788c459fd4632a1f1b4bc850d10e5a0dd9b9b4667bdb8f4c3d09b53

  • SSDEEP

    1536:yP2rvEPQLEMlRGvqzRXJ69b3XhNQpzO862MO1fQKvixfav:yP2rv8GTx9569b3kpuO1fQ5av

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

memory-lottery.gl.at.ply.gg:4444

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 10 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 15 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\nigger.exe
    "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nigger.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nigger.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2696
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7016A0C8-63F2-443A-A85B-CDD36707F657} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:772
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1220
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1092
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1224
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:736
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:896
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2872
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XNYB3LX02R3M8HY9VOLR.temp
    Filesize

    7KB

    MD5

    0297a32ff2c3ccf13df31d81e72057e9

    SHA1

    a2480128e4ef9e61ed8ae6c2bca43cdaf7e1e2e5

    SHA256

    d76f5188a1220cf3aa46f16a6b49b3417a9aacd7d002157723d3e00b9a711dc3

    SHA512

    e8be8d1a6cec389a31332f073bb5c4e7d9d17cc8c343c3d3694a8b10aa4b55167e32bdfa44d7cf661d85aff2557e90931621eb1701843823bda5993c5128d23a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\security
    Filesize

    64KB

    MD5

    6f8774e5839ed8ed21449f097122f0d9

    SHA1

    666790bd8f79903fcb4788ed3ef6552bf2d7c340

    SHA256

    978edd60b16702006e25e55cbcc1e69c112e451dd19c649825980fb98019cec9

    SHA512

    9d371e4b2ce6c356a57a19fd1b070e67ccbc37fc206d1d8e6c3f2b444065d64664420d64f788c459fd4632a1f1b4bc850d10e5a0dd9b9b4667bdb8f4c3d09b53

    Download Submit

  • memory/772-42-0x00000000001C0000-0x00000000001D6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1092-45-0x00000000003B0000-0x00000000003C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1224-47-0x0000000000D90000-0x0000000000DA6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1716-36-0x0000000000040000-0x0000000000056000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1916-39-0x0000000001360000-0x0000000001376000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2148-52-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2516-1-0x0000000000900000-0x0000000000916000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2516-31-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2516-32-0x000000001B190000-0x000000001B210000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-30-0x000000001B190000-0x000000001B210000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-58-0x0000000000850000-0x0000000000866000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2872-56-0x0000000000170000-0x0000000000186000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2956-8-0x00000000023C0000-0x00000000023C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2956-6-0x0000000001D40000-0x0000000001DC0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2956-7-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3060-15-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3060-14-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

    Filesize

    2.9MB

    Download