Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

idk.exe

windows10-ltsc 2021-x64

10

Resubmissions

22/01/2025, 16:19

250122-tsmg4swjcl 10

22/01/2025, 16:17

250122-trdtksvrhj 10

22/01/2025, 16:14

250122-tpwllsvrdj 10

22/01/2025, 16:12

250122-tnlp1svjc1 10

22/01/2025, 16:10

250122-tml96avqem 10

22/01/2025, 16:09

250122-tlwgfatrgs 10

22/01/2025, 13:40

250122-qylwzsymez 10

Analysis

  • max time kernel
    34s
  • max time network
    36s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    22/01/2025, 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    idk.exe

  • Size

    94KB

  • MD5

    f88781b7415e7b04fd13b1bbbf2009b2

  • SHA1

    df9072bf61727db083155c04b47ce48744b23ee5

  • SHA256

    ccaf48cc722a2f0f9766cc4e83c1469e498fc67d2f8ed96942a5764d3591050e

  • SHA512

    6c16f8287f2f14b452025be0638fb827fa6e4a3556b21119c6195bc066d577f2c1df9a8b3f500f7e56d2b33e0552c7cbec8730bd3ac14704a6250280b1aac3db

  • SSDEEP

    1536:BItB2JRcId+cS7K/aATFcmJi1vJYbmG0VaTCVp8tA8qbQXpPQ8Qep+MDaj361dw:CyFdDSWjB0vcL0VwCz8+8qbwPtVkOg3r

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes
  • Install_directory

    %LocalAppData%

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\idk.exe
    "C:\Users\Admin\AppData\Local\Temp\idk.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5208
    • C:\Users\Admin\AppData\Roaming\svchost.scr
      "C:\Users\Admin\AppData\Roaming\svchost.scr" /S
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:6140
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.scr'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5356
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.scr'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:540
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.scr'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5360
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.scr"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    aea5cb7f27e89fb59360d49b1a005291

    SHA1

    32483bba5b0cf77c9aa13139ba1c8e9397ffab75

    SHA256

    50a967b462520910e3283fe2b7d1d319746ae4bbc86fa02fe4a3b76c4331e161

    SHA512

    e3a80d49e2089bf9702ba12abc58b26a8ef26390efe6c84b687525ed3c0e30792ddd5ab3f68a22d8229caff4f542879e936e218d81237571475671095bdf1aae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2m32adtc.he4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.scr
    Filesize

    79KB

    MD5

    0b192c8ec04f4dcd360957eb478221d2

    SHA1

    522a5c7336a31c23efec4b8ccab7ce7c17d620d4

    SHA256

    ea6a26539f74891663a03fc3cf348ef53c14295ef3662b9a29b211a8d0503e1c

    SHA512

    7d5dd7c9aca799a8dc15eea9bf767ca6c7e2145ad848d2b2cefb3548cffb30bbbb3e3933aac7c602e4a1b5f02e14e46b7edbcc3945e1aa2e3cc6219941e90eb6

    Download Submit

  • memory/5208-1-0x0000000000F50000-0x0000000000F6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5208-0-0x00007FFEE1DF3000-0x00007FFEE1DF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5356-23-0x000001C74DB30000-0x000001C74DB52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6140-13-0x00007FFEE1DF0000-0x00007FFEE28B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/6140-12-0x00007FFEE1DF0000-0x00007FFEE28B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/6140-11-0x0000000000460000-0x000000000047A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/6140-56-0x00007FFEE1DF0000-0x00007FFEE28B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/6140-57-0x000000001C770000-0x000000001C77C000-memory.dmp

    Filesize

    48KB

    Download