Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
31s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
22/01/2025, 11:17
General
-
Target
msedge.exe
-
Size
165KB
-
MD5
8c92b315d88907a31ad9eaa934a60660
-
SHA1
89c26c8a1f5b2db85e628a6526c9431e7febe5f8
-
SHA256
bea75b57f940b13d5bfcb05a0c3ae1def9d2d25f6c3115fc7b2bf85232175672
-
SHA512
b294fd15ac63bbd7cfd444c9df5a03c7bce8bc98d2b2d2011e5290638fba689ff083260ed60688cc4b0a0a59299dda0b1cc09ba8f63daf92efbeeaed604ebfc2
-
SSDEEP
3072:DJFv9ssOwjRUGKXs+S++7KFSbxeY+qDDrMm:jv9cGqStKEbxI
Malware Config
Extracted
xworm
5.0
fSptE7osVO19YSsZ
-
Install_directory
%AppData%
-
install_file
msedge.exe
-
pastebin_url
https://pastebin.com/raw/eZa6J63T
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/1684-1-0x0000000000530000-0x000000000055E000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2484 powershell.exe 3516 powershell.exe 5104 powershell.exe 3600 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation msedge.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 14 pastebin.com 17 pastebin.com 21 pastebin.com 28 pastebin.com 29 pastebin.com 15 pastebin.com 25 pastebin.com 26 pastebin.com 27 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 64 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3516 powershell.exe 3516 powershell.exe 5104 powershell.exe 5104 powershell.exe 3600 powershell.exe 3600 powershell.exe 2484 powershell.exe 2484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1684 msedge.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeIncreaseQuotaPrivilege 3516 powershell.exe Token: SeSecurityPrivilege 3516 powershell.exe Token: SeTakeOwnershipPrivilege 3516 powershell.exe Token: SeLoadDriverPrivilege 3516 powershell.exe Token: SeSystemProfilePrivilege 3516 powershell.exe Token: SeSystemtimePrivilege 3516 powershell.exe Token: SeProfSingleProcessPrivilege 3516 powershell.exe Token: SeIncBasePriorityPrivilege 3516 powershell.exe Token: SeCreatePagefilePrivilege 3516 powershell.exe Token: SeBackupPrivilege 3516 powershell.exe Token: SeRestorePrivilege 3516 powershell.exe Token: SeShutdownPrivilege 3516 powershell.exe Token: SeDebugPrivilege 3516 powershell.exe Token: SeSystemEnvironmentPrivilege 3516 powershell.exe Token: SeRemoteShutdownPrivilege 3516 powershell.exe Token: SeUndockPrivilege 3516 powershell.exe Token: SeManageVolumePrivilege 3516 powershell.exe Token: 33 3516 powershell.exe Token: 34 3516 powershell.exe Token: 35 3516 powershell.exe Token: 36 3516 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeIncreaseQuotaPrivilege 5104 powershell.exe Token: SeSecurityPrivilege 5104 powershell.exe Token: SeTakeOwnershipPrivilege 5104 powershell.exe Token: SeLoadDriverPrivilege 5104 powershell.exe Token: SeSystemProfilePrivilege 5104 powershell.exe Token: SeSystemtimePrivilege 5104 powershell.exe Token: SeProfSingleProcessPrivilege 5104 powershell.exe Token: SeIncBasePriorityPrivilege 5104 powershell.exe Token: SeCreatePagefilePrivilege 5104 powershell.exe Token: SeBackupPrivilege 5104 powershell.exe Token: SeRestorePrivilege 5104 powershell.exe Token: SeShutdownPrivilege 5104 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeSystemEnvironmentPrivilege 5104 powershell.exe Token: SeRemoteShutdownPrivilege 5104 powershell.exe Token: SeUndockPrivilege 5104 powershell.exe Token: SeManageVolumePrivilege 5104 powershell.exe Token: 33 5104 powershell.exe Token: 34 5104 powershell.exe Token: 35 5104 powershell.exe Token: 36 5104 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeIncreaseQuotaPrivilege 3600 powershell.exe Token: SeSecurityPrivilege 3600 powershell.exe Token: SeTakeOwnershipPrivilege 3600 powershell.exe Token: SeLoadDriverPrivilege 3600 powershell.exe Token: SeSystemProfilePrivilege 3600 powershell.exe Token: SeSystemtimePrivilege 3600 powershell.exe Token: SeProfSingleProcessPrivilege 3600 powershell.exe Token: SeIncBasePriorityPrivilege 3600 powershell.exe Token: SeCreatePagefilePrivilege 3600 powershell.exe Token: SeBackupPrivilege 3600 powershell.exe Token: SeRestorePrivilege 3600 powershell.exe Token: SeShutdownPrivilege 3600 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeSystemEnvironmentPrivilege 3600 powershell.exe Token: SeRemoteShutdownPrivilege 3600 powershell.exe Token: SeUndockPrivilege 3600 powershell.exe Token: SeManageVolumePrivilege 3600 powershell.exe Token: 33 3600 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1684 wrote to memory of 3516 1684 msedge.exe 85 PID 1684 wrote to memory of 3516 1684 msedge.exe 85 PID 1684 wrote to memory of 5104 1684 msedge.exe 90 PID 1684 wrote to memory of 5104 1684 msedge.exe 90 PID 1684 wrote to memory of 3600 1684 msedge.exe 92 PID 1684 wrote to memory of 3600 1684 msedge.exe 92 PID 1684 wrote to memory of 2484 1684 msedge.exe 94 PID 1684 wrote to memory of 2484 1684 msedge.exe 94 PID 1684 wrote to memory of 64 1684 msedge.exe 97 PID 1684 wrote to memory of 64 1684 msedge.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:64
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD560b3262c3163ee3d466199160b9ed07d
SHA1994ece4ea4e61de0be2fdd580f87e3415f9e1ff6
SHA256e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb
SHA512081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af
-
Filesize
1KB
MD5014f71a6acded9d2985322a79aa49202
SHA1622c887c223d4807b6fff00bcec733f29d3070c4
SHA2562706f51a2e6b15845205415791c33cc03c21aaa7421c46f5651df06d81f76d19
SHA512199dadd2b954b9f27e7290bf1f383c476ad2d93883243aa86d23408d016006ac4d39993bd3aa4b6d93a828aecafd66dd8ef431dca5d3c98b5fd86b4c96cb3a56
-
Filesize
1KB
MD529691aa56266b820d85d422bef115406
SHA1a30f729d482b1fbdb9438383936c8843023f33ee
SHA256c0104766ad7646b1ae944bcab87270b403ac7880be0462712653f1c9be87cca8
SHA512ace1093fe6fd569deed6ac837c865c9d65ff145eae3633c8494927f14d7d755e4e0837770e22abe5d163b2b0b6f48ed2c900403548276da38854a9b40b731774
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82