Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
682s -
max time network
613s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2025, 13:35
General
-
Target
Xworm.exe
-
Size
828KB
-
MD5
f2dba5b93fa78fe0357cae18d68bc13f
-
SHA1
686e5e1ae65116c4d22315b15992163ad4d34f7c
-
SHA256
0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570
-
SHA512
cc9714c48fc9c36f98ec2230e96efd5016c254059cf23ea7ccf318e3e44337559e6f5f48d5b9367a10c5b87bd05df6345c58c64eb728769f649b2411f4dc3970
-
SSDEEP
12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9rR0uvsj:pnsJ39LyjbJkQFMhmC+6GD9Fl0
Malware Config
Extracted
xworm
simply-exotic.gl.at.ply.gg:27183
-
Install_directory
%Temp%
-
install_file
Windows.exe
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2308-315-0x000000001CBD0000-0x000000001CBDE000-memory.dmp disable_win_def -
Detect Xworm Payload 6 IoCs
resource yara_rule behavioral1/files/0x0009000000023c57-5.dat family_xworm behavioral1/files/0x0007000000023cac-67.dat family_xworm behavioral1/memory/2308-71-0x0000000000D10000-0x0000000000D2A000-memory.dmp family_xworm behavioral1/memory/1392-130-0x0000000000400000-0x00000000004D5000-memory.dmp family_xworm behavioral1/memory/3328-296-0x0000000000400000-0x00000000004D5000-memory.dmp family_xworm behavioral1/memory/3328-351-0x0000000000400000-0x00000000004D5000-memory.dmp family_xworm -
Xred family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 852 powershell.exe 1284 powershell.exe 4260 powershell.exe 3796 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ._cache_Xworm.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Xworm.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.lnk ._cache_Xworm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.lnk ._cache_Xworm.exe -
Executes dropped EXE 7 IoCs
pid Process 2308 ._cache_Xworm.exe 3328 Synaptics.exe 3408 ._cache_Synaptics.exe 1420 User 2288 User 1072 User 3056 User -
Loads dropped DLL 1 IoCs
pid Process 2308 ._cache_Xworm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Xworm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User = "C:\\Users\\Admin\\AppData\\Local\\Temp\\User" ._cache_Xworm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Xworm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Delays execution with timeout.exe 1 IoCs
pid Process 8 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Xworm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1404 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 852 powershell.exe 852 powershell.exe 1284 powershell.exe 1284 powershell.exe 4260 powershell.exe 4260 powershell.exe 3796 powershell.exe 3796 powershell.exe 2308 ._cache_Xworm.exe 2308 ._cache_Xworm.exe 2308 ._cache_Xworm.exe 2308 ._cache_Xworm.exe 2308 ._cache_Xworm.exe 2308 ._cache_Xworm.exe 2308 ._cache_Xworm.exe 2308 ._cache_Xworm.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2308 ._cache_Xworm.exe Token: SeDebugPrivilege 3408 ._cache_Synaptics.exe Token: SeDebugPrivilege 852 powershell.exe Token: SeDebugPrivilege 1284 powershell.exe Token: SeDebugPrivilege 4260 powershell.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeDebugPrivilege 2308 ._cache_Xworm.exe Token: SeDebugPrivilege 1420 User Token: SeDebugPrivilege 2288 User Token: SeDebugPrivilege 1072 User Token: SeDebugPrivilege 3056 User -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 1404 EXCEL.EXE 2308 ._cache_Xworm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2308 1392 Xworm.exe 84 PID 1392 wrote to memory of 2308 1392 Xworm.exe 84 PID 1392 wrote to memory of 3328 1392 Xworm.exe 85 PID 1392 wrote to memory of 3328 1392 Xworm.exe 85 PID 1392 wrote to memory of 3328 1392 Xworm.exe 85 PID 3328 wrote to memory of 3408 3328 Synaptics.exe 86 PID 3328 wrote to memory of 3408 3328 Synaptics.exe 86 PID 2308 wrote to memory of 852 2308 ._cache_Xworm.exe 93 PID 2308 wrote to memory of 852 2308 ._cache_Xworm.exe 93 PID 2308 wrote to memory of 1284 2308 ._cache_Xworm.exe 95 PID 2308 wrote to memory of 1284 2308 ._cache_Xworm.exe 95 PID 2308 wrote to memory of 4260 2308 ._cache_Xworm.exe 98 PID 2308 wrote to memory of 4260 2308 ._cache_Xworm.exe 98 PID 2308 wrote to memory of 3796 2308 ._cache_Xworm.exe 100 PID 2308 wrote to memory of 3796 2308 ._cache_Xworm.exe 100 PID 2308 wrote to memory of 2472 2308 ._cache_Xworm.exe 106 PID 2308 wrote to memory of 2472 2308 ._cache_Xworm.exe 106 PID 2308 wrote to memory of 2604 2308 ._cache_Xworm.exe 124 PID 2308 wrote to memory of 2604 2308 ._cache_Xworm.exe 124 PID 2308 wrote to memory of 4732 2308 ._cache_Xworm.exe 126 PID 2308 wrote to memory of 4732 2308 ._cache_Xworm.exe 126 PID 4732 wrote to memory of 8 4732 cmd.exe 128 PID 4732 wrote to memory of 8 4732 cmd.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xworm.exe"C:\Users\Admin\AppData\Local\Temp\Xworm.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_Xworm.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2472
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "User"3⤵PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4A5.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:8
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1404
-
C:\Users\Admin\AppData\Local\Temp\UserC:\Users\Admin\AppData\Local\Temp\User1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
C:\Users\Admin\AppData\Local\Temp\UserC:\Users\Admin\AppData\Local\Temp\User1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
C:\Users\Admin\AppData\Local\Temp\UserC:\Users\Admin\AppData\Local\Temp\User1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
C:\Users\Admin\AppData\Local\Temp\UserC:\Users\Admin\AppData\Local\Temp\User1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
828KB
MD5f2dba5b93fa78fe0357cae18d68bc13f
SHA1686e5e1ae65116c4d22315b15992163ad4d34f7c
SHA2560d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570
SHA512cc9714c48fc9c36f98ec2230e96efd5016c254059cf23ea7ccf318e3e44337559e6f5f48d5b9367a10c5b87bd05df6345c58c64eb728769f649b2411f4dc3970
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
944B
MD5e3161f4edbc9b963debe22e29658050b
SHA145dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA2561359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2
-
Filesize
75KB
MD5f63d6c11422e7e0ca83981e8dae62f96
SHA1c9c6088a764b07e7d438ad603a8bfcd9972f2b06
SHA2567ed1b4c14c9dfc97094ac40c5fb6c1fe109e4bfcbc953f2ba4331686388be531
SHA512b4dc1037a4fa38482e355aa3f4ac8288aa926dd7c24ee5cd260b5418ebd9ba6a53ef41f3e862eaa71795a2d0b7407fc9d700ec9a224d45f4b7af1e2063f991d9
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
22KB
MD5020c0fc75d8a4ce25f98abcd11dcd350
SHA1c168c6437f3599863c75b101308dc642536c8da5
SHA256a91b78e91ebade3959db6f69f3fef3da06d8852e317383e44087fa0dcfd1f87b
SHA5129d99509beaa914135ba48f9543da61e988968b4b010ba5e4448baccda54a84b9eccaddbbbf624cde12b25d3d79e9ac8c434bcc2222783a3351193ac91ef7cd80
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
Filesize
165B
MD5bdf274e549ecb5b782690b4a3499cec1
SHA14c258ec3d1a6e8ea3f5a39d27fbc7ae377f7ac94
SHA2568c63833eab3a61d85d92609a2d23ee845a31d6643133989c2bacf5bf3ec00071
SHA5126b85c9441c7904ffa6a9319cac9509bb0b678075395209fe10ba0498acdcfdb8754d3be3b54d22c4fc02c79532a4da76ec88cbc0db077adfd7189a62ad727024