Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 14:51
Behavioral task
behavioral1
Sample
SamsungCommisionExternal.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SamsungCommisionExternal.exe
Resource
win10v2004-20241007-en
General
-
Target
SamsungCommisionExternal.exe
-
Size
63KB
-
MD5
6f30a565049364df3068b5bc88fd36d6
-
SHA1
2ca485eb96156bfc561acd69649cf3339da6c610
-
SHA256
e65d7f5beb1f383e07917e867fb3b18a59a597319d152ad148b37a8924b8780d
-
SHA512
c01edc2fe4e5ad26b9511cc0bc114221878cf961b436a091a79611ce27da69ce7cf58afdcc71d295ad25f08701b1eb16c0c298fd22fbcb69004f760ea2b89ffe
-
SSDEEP
1536:9VbfG3pj8mIfpubPOggHEyj26+6POhjV5yD/9:/fGZrIf0bPDgkyjnPOhp5U9
Malware Config
Extracted
xworm
127.0.0.1:24707
modified-begun.gl.at.ply.gg:24707
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2684-1-0x0000000000900000-0x0000000000916000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2468 powershell.exe 2464 powershell.exe 2824 powershell.exe 2068 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk SamsungCommisionExternal.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smasmug.lnk SamsungCommisionExternal.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Smasmug = "C:\\Users\\Admin\\AppData\\Roaming\\Smasmug" SamsungCommisionExternal.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2824 powershell.exe 2068 powershell.exe 2468 powershell.exe 2464 powershell.exe 2684 SamsungCommisionExternal.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2684 SamsungCommisionExternal.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2684 SamsungCommisionExternal.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2684 SamsungCommisionExternal.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2824 2684 SamsungCommisionExternal.exe 31 PID 2684 wrote to memory of 2824 2684 SamsungCommisionExternal.exe 31 PID 2684 wrote to memory of 2824 2684 SamsungCommisionExternal.exe 31 PID 2684 wrote to memory of 2068 2684 SamsungCommisionExternal.exe 33 PID 2684 wrote to memory of 2068 2684 SamsungCommisionExternal.exe 33 PID 2684 wrote to memory of 2068 2684 SamsungCommisionExternal.exe 33 PID 2684 wrote to memory of 2468 2684 SamsungCommisionExternal.exe 35 PID 2684 wrote to memory of 2468 2684 SamsungCommisionExternal.exe 35 PID 2684 wrote to memory of 2468 2684 SamsungCommisionExternal.exe 35 PID 2684 wrote to memory of 2464 2684 SamsungCommisionExternal.exe 37 PID 2684 wrote to memory of 2464 2684 SamsungCommisionExternal.exe 37 PID 2684 wrote to memory of 2464 2684 SamsungCommisionExternal.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe"C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SamsungCommisionExternal.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Smasmug'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Smasmug'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5877301d7dd5e0de14f77c3b6a8011366
SHA17c4481e91f01f2f33d35a626c65354a98c1888d8
SHA256b4383488854fadad7dc2f7063f5552754ba9b4294793b19021b4a300fdf957f4
SHA5124ca4f2770429dfaab1e82c603986c0c12223bef2a9234a00a7952c4ac67e227cc7a6a547dc8c95398745660408a9144e0c61d35c7eb3eba3817c08d6e2f87e73