Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/01/2025, 14:51

General

  • Target

    SamsungCommisionExternal.exe

  • Size

    63KB

  • MD5

    6f30a565049364df3068b5bc88fd36d6

  • SHA1

    2ca485eb96156bfc561acd69649cf3339da6c610

  • SHA256

    e65d7f5beb1f383e07917e867fb3b18a59a597319d152ad148b37a8924b8780d

  • SHA512

    c01edc2fe4e5ad26b9511cc0bc114221878cf961b436a091a79611ce27da69ce7cf58afdcc71d295ad25f08701b1eb16c0c298fd22fbcb69004f760ea2b89ffe

  • SSDEEP

    1536:9VbfG3pj8mIfpubPOggHEyj26+6POhjV5yD/9:/fGZrIf0bPDgkyjnPOhp5U9

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:24707

modified-begun.gl.at.ply.gg:24707

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe
    "C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SamsungCommisionExternal.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SamsungCommisionExternal.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Smasmug'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Smasmug'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    877301d7dd5e0de14f77c3b6a8011366

    SHA1

    7c4481e91f01f2f33d35a626c65354a98c1888d8

    SHA256

    b4383488854fadad7dc2f7063f5552754ba9b4294793b19021b4a300fdf957f4

    SHA512

    4ca4f2770429dfaab1e82c603986c0c12223bef2a9234a00a7952c4ac67e227cc7a6a547dc8c95398745660408a9144e0c61d35c7eb3eba3817c08d6e2f87e73

  • memory/2068-16-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

    Filesize

    2.9MB

  • memory/2068-17-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

  • memory/2684-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

    Filesize

    4KB

  • memory/2684-1-0x0000000000900000-0x0000000000916000-memory.dmp

    Filesize

    88KB

  • memory/2684-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB

  • memory/2684-3-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

    Filesize

    4KB

  • memory/2684-32-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB

  • memory/2824-8-0x0000000002CD0000-0x0000000002D50000-memory.dmp

    Filesize

    512KB

  • memory/2824-9-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

    Filesize

    2.9MB

  • memory/2824-10-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB