Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 14:51 UTC

General

  • Target

    SamsungCommisionExternal.exe

  • Size

    63KB

  • MD5

    6f30a565049364df3068b5bc88fd36d6

  • SHA1

    2ca485eb96156bfc561acd69649cf3339da6c610

  • SHA256

    e65d7f5beb1f383e07917e867fb3b18a59a597319d152ad148b37a8924b8780d

  • SHA512

    c01edc2fe4e5ad26b9511cc0bc114221878cf961b436a091a79611ce27da69ce7cf58afdcc71d295ad25f08701b1eb16c0c298fd22fbcb69004f760ea2b89ffe

  • SSDEEP

    1536:9VbfG3pj8mIfpubPOggHEyj26+6POhjV5yD/9:/fGZrIf0bPDgkyjnPOhp5U9

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:24707

modified-begun.gl.at.ply.gg:24707

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe
    "C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SamsungCommisionExternal.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Smasmug'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Smasmug'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2464

Network

  • flag-us
    DNS
    ip-api.com
    SamsungCommisionExternal.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    SamsungCommisionExternal.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 14:53:20 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 53
    X-Rl: 43
  • flag-us
    DNS
    modified-begun.gl.at.ply.gg
    SamsungCommisionExternal.exe
    Remote address:
    8.8.8.8:53
    Request
    modified-begun.gl.at.ply.gg
    IN A
    Response
    modified-begun.gl.at.ply.gg
    IN A
    147.185.221.25
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    SamsungCommisionExternal.exe
    362 B
    347 B
    6
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 147.185.221.25:24707
    modified-begun.gl.at.ply.gg
    SamsungCommisionExternal.exe
    2.8kB
    1.7kB
    37
    33
  • 8.8.8.8:53
    ip-api.com
    dns
    SamsungCommisionExternal.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    modified-begun.gl.at.ply.gg
    dns
    SamsungCommisionExternal.exe
    73 B
    89 B
    1
    1

    DNS Request

    modified-begun.gl.at.ply.gg

    DNS Response

    147.185.221.25

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    877301d7dd5e0de14f77c3b6a8011366

    SHA1

    7c4481e91f01f2f33d35a626c65354a98c1888d8

    SHA256

    b4383488854fadad7dc2f7063f5552754ba9b4294793b19021b4a300fdf957f4

    SHA512

    4ca4f2770429dfaab1e82c603986c0c12223bef2a9234a00a7952c4ac67e227cc7a6a547dc8c95398745660408a9144e0c61d35c7eb3eba3817c08d6e2f87e73

  • memory/2068-16-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

    Filesize

    2.9MB

  • memory/2068-17-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

  • memory/2684-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

    Filesize

    4KB

  • memory/2684-1-0x0000000000900000-0x0000000000916000-memory.dmp

    Filesize

    88KB

  • memory/2684-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB

  • memory/2684-3-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

    Filesize

    4KB

  • memory/2684-32-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB

  • memory/2824-8-0x0000000002CD0000-0x0000000002D50000-memory.dmp

    Filesize

    512KB

  • memory/2824-9-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

    Filesize

    2.9MB

  • memory/2824-10-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.