Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
SPOOFER TREY.exe
Resource
win7-20240903-en
General
-
Target
SPOOFER TREY.exe
-
Size
76KB
-
MD5
fff2d0ea19905c9a8f6c6fca38f64b15
-
SHA1
deb5dec4ca7de9ba0795f441ccda2683317341a9
-
SHA256
8fd825863687566693df92add60bc259abe5436238e8b99369fad09b17aa5aaf
-
SHA512
aa8f6e5cb2e2fdc505ffa67246bd5539d853c2a22221911a7f2bb84749d11b10a29fbf7fb9d5244a84d082c5f387a5861c34b71e96f57b720a34c6216d8f1558
-
SSDEEP
1536:ho2cR9MCrmWPDjC0hIgQLCap5BzGd0B/JUT4l7A9EkNof:2hCuF7aftGO3Tc+f
Malware Config
Extracted
xworm
exchange-syndicate.gl.at.ply.gg:22530
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/4660-12-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3272 powershell.exe 1892 powershell.exe 2464 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEM = "C:\\Users\\Admin\\AppData\\Roaming\\spoofer\\spoofer.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4600 set thread context of 4660 4600 SPOOFER TREY.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SPOOFER TREY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2464 powershell.exe 2464 powershell.exe 3272 powershell.exe 3272 powershell.exe 1892 powershell.exe 1892 powershell.exe 4660 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 4660 RegAsm.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 1892 powershell.exe Token: SeDebugPrivilege 4660 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4660 RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4600 wrote to memory of 2464 4600 SPOOFER TREY.exe 96 PID 4600 wrote to memory of 2464 4600 SPOOFER TREY.exe 96 PID 4600 wrote to memory of 2464 4600 SPOOFER TREY.exe 96 PID 4600 wrote to memory of 4660 4600 SPOOFER TREY.exe 98 PID 4600 wrote to memory of 4660 4600 SPOOFER TREY.exe 98 PID 4600 wrote to memory of 4660 4600 SPOOFER TREY.exe 98 PID 4600 wrote to memory of 4660 4600 SPOOFER TREY.exe 98 PID 4600 wrote to memory of 4660 4600 SPOOFER TREY.exe 98 PID 4600 wrote to memory of 4660 4600 SPOOFER TREY.exe 98 PID 4600 wrote to memory of 4660 4600 SPOOFER TREY.exe 98 PID 4600 wrote to memory of 4660 4600 SPOOFER TREY.exe 98 PID 4660 wrote to memory of 3272 4660 RegAsm.exe 101 PID 4660 wrote to memory of 3272 4660 RegAsm.exe 101 PID 4660 wrote to memory of 3272 4660 RegAsm.exe 101 PID 4660 wrote to memory of 1892 4660 RegAsm.exe 103 PID 4660 wrote to memory of 1892 4660 RegAsm.exe 103 PID 4660 wrote to memory of 1892 4660 RegAsm.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\SPOOFER TREY.exe"C:\Users\Admin\AppData\Local\Temp\SPOOFER TREY.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SYSTEM';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SYSTEM' -Value '"C:\Users\Admin\AppData\Roaming\spoofer\spoofer.exe"' -PropertyType 'String'2⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegAsm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
18KB
MD51ed2e4f1927c9f6c7c19c0ad48b91bf2
SHA10bbac5be7fc7aacf5694722a29d1f3aa3460cb04
SHA2565da2a38f8c39204570545a8ff16c68a8ee7cfd28511a7b7383f6542375a7fe61
SHA512e5c918f488596dfb133fb5a6f6584fdb82decd35922c1b9167577b82986f46fa99e76ae9301accd796e25a55b863b7a73e0e17626132eb5717fa3d3fc540e00b
-
Filesize
18KB
MD5b8830b50b126939794b79fc7ce9216a0
SHA177a7b9fbcba7d54a6e135d354be1700f88406c37
SHA256bd9be4b914ef5ef653190e18c3dd9b6e2c1e201284365b4191b225db269f08a9
SHA5126dc5ed95da5f70dd6ec74fa697622f48159d6e3cdbf6bbc6ff471ebb2ef2ab0a7296cc9c491386b79b81c6c318aac3ce57b0aeee6c204c46dd711264c29ec4b9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82