Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
SPOOFER TREY.exe
Resource
win7-20240903-en
General
-
Target
SPOOFER TREY.exe
-
Size
76KB
-
MD5
fff2d0ea19905c9a8f6c6fca38f64b15
-
SHA1
deb5dec4ca7de9ba0795f441ccda2683317341a9
-
SHA256
8fd825863687566693df92add60bc259abe5436238e8b99369fad09b17aa5aaf
-
SHA512
aa8f6e5cb2e2fdc505ffa67246bd5539d853c2a22221911a7f2bb84749d11b10a29fbf7fb9d5244a84d082c5f387a5861c34b71e96f57b720a34c6216d8f1558
-
SSDEEP
1536:ho2cR9MCrmWPDjC0hIgQLCap5BzGd0B/JUT4l7A9EkNof:2hCuF7aftGO3Tc+f
Malware Config
Extracted
xworm
exchange-syndicate.gl.at.ply.gg:22530
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral1/memory/776-18-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm behavioral1/memory/776-16-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm behavioral1/memory/776-14-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm behavioral1/memory/776-11-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm behavioral1/memory/776-10-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm -
Xworm family
-
pid Process 1616 powershell.exe 2688 powershell.exe 1664 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SYSTEM = "C:\\Users\\Admin\\AppData\\Roaming\\spoofer\\spoofer.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1868 set thread context of 776 1868 SPOOFER TREY.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOFER TREY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1616 powershell.exe 2688 powershell.exe 1664 powershell.exe 776 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 776 RegAsm.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 776 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 776 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1616 1868 SPOOFER TREY.exe 31 PID 1868 wrote to memory of 1616 1868 SPOOFER TREY.exe 31 PID 1868 wrote to memory of 1616 1868 SPOOFER TREY.exe 31 PID 1868 wrote to memory of 1616 1868 SPOOFER TREY.exe 31 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 1868 wrote to memory of 776 1868 SPOOFER TREY.exe 33 PID 776 wrote to memory of 2688 776 RegAsm.exe 35 PID 776 wrote to memory of 2688 776 RegAsm.exe 35 PID 776 wrote to memory of 2688 776 RegAsm.exe 35 PID 776 wrote to memory of 2688 776 RegAsm.exe 35 PID 776 wrote to memory of 1664 776 RegAsm.exe 37 PID 776 wrote to memory of 1664 776 RegAsm.exe 37 PID 776 wrote to memory of 1664 776 RegAsm.exe 37 PID 776 wrote to memory of 1664 776 RegAsm.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\SPOOFER TREY.exe"C:\Users\Admin\AppData\Local\Temp\SPOOFER TREY.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SYSTEM';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SYSTEM' -Value '"C:\Users\Admin\AppData\Roaming\spoofer\spoofer.exe"' -PropertyType 'String'2⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55e5d60e84351c770225603fed6b33024
SHA1060d3823ecbb734030cd758f73ad436bd4ae4c65
SHA2568120275e6ea6fbde1e003f83a02a525655e1e0b231e3e6b72aeed69dca369a3b
SHA512aff8cb62255abf93c1141a24abcc07543dba08124ac88a1845efc0a054daa92f667dcf729c61c11e1f289a00933a0be77e4b9057e618031b6e256b39c6317615