Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    127s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 09:11

General

  • Target

    SPOOFER TREY.exe

  • Size

    76KB

  • MD5

    fff2d0ea19905c9a8f6c6fca38f64b15

  • SHA1

    deb5dec4ca7de9ba0795f441ccda2683317341a9

  • SHA256

    8fd825863687566693df92add60bc259abe5436238e8b99369fad09b17aa5aaf

  • SHA512

    aa8f6e5cb2e2fdc505ffa67246bd5539d853c2a22221911a7f2bb84749d11b10a29fbf7fb9d5244a84d082c5f387a5861c34b71e96f57b720a34c6216d8f1558

  • SSDEEP

    1536:ho2cR9MCrmWPDjC0hIgQLCap5BzGd0B/JUT4l7A9EkNof:2hCuF7aftGO3Tc+f

Malware Config

Extracted

Family

xworm

C2

exchange-syndicate.gl.at.ply.gg:22530

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SPOOFER TREY.exe
    "C:\Users\Admin\AppData\Local\Temp\SPOOFER TREY.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SYSTEM';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SYSTEM' -Value '"C:\Users\Admin\AppData\Roaming\spoofer\spoofer.exe"' -PropertyType 'String'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1616
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    5e5d60e84351c770225603fed6b33024

    SHA1

    060d3823ecbb734030cd758f73ad436bd4ae4c65

    SHA256

    8120275e6ea6fbde1e003f83a02a525655e1e0b231e3e6b72aeed69dca369a3b

    SHA512

    aff8cb62255abf93c1141a24abcc07543dba08124ac88a1845efc0a054daa92f667dcf729c61c11e1f289a00933a0be77e4b9057e618031b6e256b39c6317615

  • memory/776-11-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/776-14-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/776-10-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/776-8-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/776-9-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/776-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/776-18-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/776-16-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/1616-19-0x000000006F041000-0x000000006F042000-memory.dmp

    Filesize

    4KB

  • memory/1616-21-0x000000006F040000-0x000000006F5EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1616-22-0x000000006F040000-0x000000006F5EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1868-3-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

  • memory/1868-0-0x000000007423E000-0x000000007423F000-memory.dmp

    Filesize

    4KB

  • memory/1868-4-0x0000000000380000-0x0000000000398000-memory.dmp

    Filesize

    96KB

  • memory/1868-20-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

  • memory/1868-2-0x0000000074230000-0x000000007491E000-memory.dmp

    Filesize

    6.9MB

  • memory/1868-1-0x0000000000DE0000-0x0000000000DFA000-memory.dmp

    Filesize

    104KB