Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

22/01/2025, 16:02

250122-tgxtpsvnfn 10

22/01/2025, 11:17

250122-nd5r9avjej 10

Analysis

  • max time kernel
    30s
  • max time network
    31s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    22/01/2025, 11:17

General

  • Target

    msedge.exe

  • Size

    165KB

  • MD5

    8c92b315d88907a31ad9eaa934a60660

  • SHA1

    89c26c8a1f5b2db85e628a6526c9431e7febe5f8

  • SHA256

    bea75b57f940b13d5bfcb05a0c3ae1def9d2d25f6c3115fc7b2bf85232175672

  • SHA512

    b294fd15ac63bbd7cfd444c9df5a03c7bce8bc98d2b2d2011e5290638fba689ff083260ed60688cc4b0a0a59299dda0b1cc09ba8f63daf92efbeeaed604ebfc2

  • SSDEEP

    3072:DJFv9ssOwjRUGKXs+S++7KFSbxeY+qDDrMm:jv9cGqStKEbxI

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

fSptE7osVO19YSsZ

Attributes
  • Install_directory

    %AppData%

  • install_file

    msedge.exe

  • pastebin_url

    https://pastebin.com/raw/eZa6J63T

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5104
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2484
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:64

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    014f71a6acded9d2985322a79aa49202

    SHA1

    622c887c223d4807b6fff00bcec733f29d3070c4

    SHA256

    2706f51a2e6b15845205415791c33cc03c21aaa7421c46f5651df06d81f76d19

    SHA512

    199dadd2b954b9f27e7290bf1f383c476ad2d93883243aa86d23408d016006ac4d39993bd3aa4b6d93a828aecafd66dd8ef431dca5d3c98b5fd86b4c96cb3a56

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    29691aa56266b820d85d422bef115406

    SHA1

    a30f729d482b1fbdb9438383936c8843023f33ee

    SHA256

    c0104766ad7646b1ae944bcab87270b403ac7880be0462712653f1c9be87cca8

    SHA512

    ace1093fe6fd569deed6ac837c865c9d65ff145eae3633c8494927f14d7d755e4e0837770e22abe5d163b2b0b6f48ed2c900403548276da38854a9b40b731774

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k1q0avpp.w15.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1684-1-0x0000000000530000-0x000000000055E000-memory.dmp

    Filesize

    184KB

  • memory/1684-60-0x00007FFD1AFD0000-0x00007FFD1BA92000-memory.dmp

    Filesize

    10.8MB

  • memory/1684-0-0x00007FFD1AFD3000-0x00007FFD1AFD5000-memory.dmp

    Filesize

    8KB

  • memory/1684-59-0x00007FFD1AFD0000-0x00007FFD1BA92000-memory.dmp

    Filesize

    10.8MB

  • memory/1684-58-0x00007FFD1AFD3000-0x00007FFD1AFD5000-memory.dmp

    Filesize

    8KB

  • memory/3516-12-0x00007FFD1AFD0000-0x00007FFD1BA92000-memory.dmp

    Filesize

    10.8MB

  • memory/3516-19-0x00007FFD1AFD0000-0x00007FFD1BA92000-memory.dmp

    Filesize

    10.8MB

  • memory/3516-18-0x00007FFD1AFD0000-0x00007FFD1BA92000-memory.dmp

    Filesize

    10.8MB

  • memory/3516-15-0x00007FFD1AFD0000-0x00007FFD1BA92000-memory.dmp

    Filesize

    10.8MB

  • memory/3516-14-0x00007FFD1AFD0000-0x00007FFD1BA92000-memory.dmp

    Filesize

    10.8MB

  • memory/3516-13-0x00007FFD1AFD0000-0x00007FFD1BA92000-memory.dmp

    Filesize

    10.8MB

  • memory/3516-7-0x000001FE45740000-0x000001FE45762000-memory.dmp

    Filesize

    136KB