Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 04:24
Static task
static1
Behavioral task
behavioral1
Sample
.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
.exe
Resource
win10v2004-20241007-en
General
-
Target
.exe
-
Size
8.7MB
-
MD5
1e936fe7c00a13a03d258247220333cb
-
SHA1
0625868fe5e8541dca00a87b9dbc76e85a76a7a9
-
SHA256
f21d3e6de139de0d92d8cdc675d7aa5693d375b1f075dee9deb664bf9961bacd
-
SHA512
2f809796ebec18540570d9658742a91fb1ae42f44cd0193d7cd020a67f07dfc2f94740ed05aa1a12234063aa2173719953ee74203a794b94c7fc41a8037c5661
-
SSDEEP
196608:yt20YhrbhcaAKkkdGDJtvMGn7+LCOGeosHnZouA7q:e2trlIKtdGDJCGgjBoEZouA
Malware Config
Extracted
xworm
5.0
45.141.26.126:7000
njhjW6ZcD4uLoqX9
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral1/files/0x0008000000015d2e-11.dat family_xworm behavioral1/memory/2764-12-0x0000000000B30000-0x0000000000B40000-memory.dmp family_xworm behavioral1/memory/2752-41-0x0000000000990000-0x00000000009A0000-memory.dmp family_xworm behavioral1/memory/2940-101-0x0000000000DA0000-0x0000000000DB0000-memory.dmp family_xworm behavioral1/memory/1580-104-0x0000000001080000-0x0000000001090000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1820 powershell.exe 2172 powershell.exe 1756 powershell.exe 1948 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sorillusexe.lnk ตั่.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sorillusexe.lnk ตั่.exe -
Executes dropped EXE 7 IoCs
pid Process 2684 GEN18+.exe 2764 ตั่.exe 2820 GEN18+.exe 2752 ตั่.exe 2860 GEN18+.exe 2940 Sorillusexe 1580 Sorillusexe -
Loads dropped DLL 2 IoCs
pid Process 2684 GEN18+.exe 2860 GEN18+.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sorillusexe = "C:\\Users\\Admin\\AppData\\Roaming\\Sorillusexe" ตั่.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0032000000015cfa-17.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1820 powershell.exe 2172 powershell.exe 1756 powershell.exe 1948 powershell.exe 2764 ตั่.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2764 ตั่.exe Token: SeDebugPrivilege 2752 ตั่.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 2764 ตั่.exe Token: SeDebugPrivilege 2940 Sorillusexe Token: SeDebugPrivilege 1580 Sorillusexe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2764 ตั่.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2684 3004 .exe 30 PID 3004 wrote to memory of 2684 3004 .exe 30 PID 3004 wrote to memory of 2684 3004 .exe 30 PID 3004 wrote to memory of 2764 3004 .exe 31 PID 3004 wrote to memory of 2764 3004 .exe 31 PID 3004 wrote to memory of 2764 3004 .exe 31 PID 2684 wrote to memory of 2820 2684 GEN18+.exe 32 PID 2684 wrote to memory of 2820 2684 GEN18+.exe 32 PID 2684 wrote to memory of 2820 2684 GEN18+.exe 32 PID 2684 wrote to memory of 2752 2684 GEN18+.exe 34 PID 2684 wrote to memory of 2752 2684 GEN18+.exe 34 PID 2684 wrote to memory of 2752 2684 GEN18+.exe 34 PID 2820 wrote to memory of 2860 2820 GEN18+.exe 35 PID 2820 wrote to memory of 2860 2820 GEN18+.exe 35 PID 2820 wrote to memory of 2860 2820 GEN18+.exe 35 PID 2764 wrote to memory of 1820 2764 ตั่.exe 37 PID 2764 wrote to memory of 1820 2764 ตั่.exe 37 PID 2764 wrote to memory of 1820 2764 ตั่.exe 37 PID 2764 wrote to memory of 2172 2764 ตั่.exe 39 PID 2764 wrote to memory of 2172 2764 ตั่.exe 39 PID 2764 wrote to memory of 2172 2764 ตั่.exe 39 PID 2764 wrote to memory of 1756 2764 ตั่.exe 41 PID 2764 wrote to memory of 1756 2764 ตั่.exe 41 PID 2764 wrote to memory of 1756 2764 ตั่.exe 41 PID 2764 wrote to memory of 1948 2764 ตั่.exe 43 PID 2764 wrote to memory of 1948 2764 ตั่.exe 43 PID 2764 wrote to memory of 1948 2764 ตั่.exe 43 PID 2764 wrote to memory of 1616 2764 ตั่.exe 45 PID 2764 wrote to memory of 1616 2764 ตั่.exe 45 PID 2764 wrote to memory of 1616 2764 ตั่.exe 45 PID 1412 wrote to memory of 2940 1412 taskeng.exe 48 PID 1412 wrote to memory of 2940 1412 taskeng.exe 48 PID 1412 wrote to memory of 2940 1412 taskeng.exe 48 PID 1412 wrote to memory of 1580 1412 taskeng.exe 50 PID 1412 wrote to memory of 1580 1412 taskeng.exe 50 PID 1412 wrote to memory of 1580 1412 taskeng.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Roaming\GEN18+.exe"C:\Users\Admin\AppData\Roaming\GEN18+.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Public\GEN18+.exe"C:\Users\Public\GEN18+.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Public\GEN18+.exe"C:\Users\Public\GEN18+.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860
-
-
-
C:\Users\Public\ตั่.exe"C:\Users\Public\ตั่.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
C:\Users\Admin\AppData\Roaming\ตั่.exe"C:\Users\Admin\AppData\Roaming\ตั่.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ตั่.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ตั่.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Sorillusexe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Sorillusexe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Sorillusexe" /tr "C:\Users\Admin\AppData\Roaming\Sorillusexe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1616
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {FEFF0FE2-F435-4DF1-A0D6-74B429D577BF} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Roaming\SorillusexeC:\Users\Admin\AppData\Roaming\Sorillusexe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Users\Admin\AppData\Roaming\SorillusexeC:\Users\Admin\AppData\Roaming\Sorillusexe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5d521654d889666a0bc753320f071ef60
SHA15fd9b90c5d0527e53c199f94bad540c1e0985db6
SHA25621700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2
SHA5127a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3
-
Filesize
8.6MB
MD5f05ed8b398245fe8f94d3227dd9a3bd6
SHA1d9d33c82725d02ac98c958acf34d03a9ef98b3c9
SHA25687a0882cd5f227f8e223381c4f4d1f5a9eafed619e442f16b98b18bb7a1481cd
SHA5122f4052266c0ca780aec481091ae0ef5946acae95398d61eb73b18d50f9072821e8fb437d6e5f229b8b7af94bec0df59fd04378c264320cfa0f0daf05832412d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD543288e0b7b7d58f4fa62c91db9c89939
SHA15f2992a953d7afa2f81bd18fd866be3c77248ee1
SHA256b511140af5b5f9174e4b8e2face945a22fdd2267c2be0646db608889184431c7
SHA512fb0e46589c2e3405bc540e4a6c804cc0d0b6e49c56e88fe4eeda45715ee1f3101e4e74e60eb24e8fd7188e04aa8f5628fb8b5af485d8e1f6284b6d40077a2168
-
Filesize
41KB
MD5949ed9fe677149c42d2a77d3f14dfc7d
SHA16aeb5488f1664c08b6463658679409e6f66bb46c
SHA2560c96ec60c154ccb2bdba2a35bd96672383a8bc84566a02d8856900368712d93a
SHA512392dab1ada16b5d3a76a611c319586831c8593c7866ff99b6b3e232efe65fa49074485979a43e47fed9c8fe2bba4ad1baf4b6b10d91fe886439b52d891e984c5
-
Filesize
8.6MB
MD56b83f00de4a3333f9e87dfe1fb5ed6c5
SHA173c5e6db6530d1dfc27b6c7cc5b2bb93ae48512c
SHA2566b89f78d271319c542e204b3f79308a9557c5e87957a8fb52afa4878f61657c0
SHA5120cd16a98fbaef79594d78dffb4a5a4c481706ffaed3e384580b5b5adda29ad2d671a00eecf9e3755f97b11c617ce9d250bdd7564c34bc0182630a7999b783030