Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    130s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 04:24

General

  • Target

    .exe

  • Size

    8.7MB

  • MD5

    1e936fe7c00a13a03d258247220333cb

  • SHA1

    0625868fe5e8541dca00a87b9dbc76e85a76a7a9

  • SHA256

    f21d3e6de139de0d92d8cdc675d7aa5693d375b1f075dee9deb664bf9961bacd

  • SHA512

    2f809796ebec18540570d9658742a91fb1ae42f44cd0193d7cd020a67f07dfc2f94740ed05aa1a12234063aa2173719953ee74203a794b94c7fc41a8037c5661

  • SSDEEP

    196608:yt20YhrbhcaAKkkdGDJtvMGn7+LCOGeosHnZouA7q:e2trlIKtdGDJCGgjBoEZouA

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.26.126:7000

Mutex

njhjW6ZcD4uLoqX9

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Roaming\GEN18+.exe
      "C:\Users\Admin\AppData\Roaming\GEN18+.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Users\Public\GEN18+.exe
        "C:\Users\Public\GEN18+.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Users\Public\GEN18+.exe
          "C:\Users\Public\GEN18+.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2860
      • C:\Users\Public\ตั่.exe
        "C:\Users\Public\ตั่.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2752
    • C:\Users\Admin\AppData\Roaming\ตั่.exe
      "C:\Users\Admin\AppData\Roaming\ตั่.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ตั่.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1820
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ตั่.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2172
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Sorillusexe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Sorillusexe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Sorillusexe" /tr "C:\Users\Admin\AppData\Roaming\Sorillusexe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1616
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {FEFF0FE2-F435-4DF1-A0D6-74B429D577BF} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Roaming\Sorillusexe
      C:\Users\Admin\AppData\Roaming\Sorillusexe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Users\Admin\AppData\Roaming\Sorillusexe
      C:\Users\Admin\AppData\Roaming\Sorillusexe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI28202\python312.dll

    Filesize

    6.6MB

    MD5

    d521654d889666a0bc753320f071ef60

    SHA1

    5fd9b90c5d0527e53c199f94bad540c1e0985db6

    SHA256

    21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

    SHA512

    7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

  • C:\Users\Admin\AppData\Roaming\GEN18+.exe

    Filesize

    8.6MB

    MD5

    f05ed8b398245fe8f94d3227dd9a3bd6

    SHA1

    d9d33c82725d02ac98c958acf34d03a9ef98b3c9

    SHA256

    87a0882cd5f227f8e223381c4f4d1f5a9eafed619e442f16b98b18bb7a1481cd

    SHA512

    2f4052266c0ca780aec481091ae0ef5946acae95398d61eb73b18d50f9072821e8fb437d6e5f229b8b7af94bec0df59fd04378c264320cfa0f0daf05832412d6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    43288e0b7b7d58f4fa62c91db9c89939

    SHA1

    5f2992a953d7afa2f81bd18fd866be3c77248ee1

    SHA256

    b511140af5b5f9174e4b8e2face945a22fdd2267c2be0646db608889184431c7

    SHA512

    fb0e46589c2e3405bc540e4a6c804cc0d0b6e49c56e88fe4eeda45715ee1f3101e4e74e60eb24e8fd7188e04aa8f5628fb8b5af485d8e1f6284b6d40077a2168

  • C:\Users\Admin\AppData\Roaming\ตั่.exe

    Filesize

    41KB

    MD5

    949ed9fe677149c42d2a77d3f14dfc7d

    SHA1

    6aeb5488f1664c08b6463658679409e6f66bb46c

    SHA256

    0c96ec60c154ccb2bdba2a35bd96672383a8bc84566a02d8856900368712d93a

    SHA512

    392dab1ada16b5d3a76a611c319586831c8593c7866ff99b6b3e232efe65fa49074485979a43e47fed9c8fe2bba4ad1baf4b6b10d91fe886439b52d891e984c5

  • \Users\Public\GEN18+.exe

    Filesize

    8.6MB

    MD5

    6b83f00de4a3333f9e87dfe1fb5ed6c5

    SHA1

    73c5e6db6530d1dfc27b6c7cc5b2bb93ae48512c

    SHA256

    6b89f78d271319c542e204b3f79308a9557c5e87957a8fb52afa4878f61657c0

    SHA512

    0cd16a98fbaef79594d78dffb4a5a4c481706ffaed3e384580b5b5adda29ad2d671a00eecf9e3755f97b11c617ce9d250bdd7564c34bc0182630a7999b783030

  • memory/1580-104-0x0000000001080000-0x0000000001090000-memory.dmp

    Filesize

    64KB

  • memory/1820-57-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

  • memory/1820-56-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

    Filesize

    2.9MB

  • memory/2172-64-0x0000000002250000-0x0000000002258000-memory.dmp

    Filesize

    32KB

  • memory/2172-63-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

  • memory/2684-15-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

    Filesize

    9.9MB

  • memory/2684-40-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

    Filesize

    9.9MB

  • memory/2684-13-0x0000000001300000-0x0000000001BAC000-memory.dmp

    Filesize

    8.7MB

  • memory/2752-41-0x0000000000990000-0x00000000009A0000-memory.dmp

    Filesize

    64KB

  • memory/2764-12-0x0000000000B30000-0x0000000000B40000-memory.dmp

    Filesize

    64KB

  • memory/2940-101-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

    Filesize

    64KB

  • memory/3004-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

    Filesize

    4KB

  • memory/3004-1-0x0000000000860000-0x000000000111A000-memory.dmp

    Filesize

    8.7MB