Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03/02/2025, 14:36
General
-
Target
Xworm-V5.6/Xworm V5.6.exe
-
Size
14.9MB
-
MD5
56ccb739926a725e78a7acf9af52c4bb
-
SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc
-
SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
-
SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
SSDEEP
196608:P4/BAe1d4ihvy85JhhYc3BSL1kehn4inje:PuyIhhkRka4i
Malware Config
Extracted
xworm
5.0
10.127.0.95:7000
P02q8rr8DvKsToRM
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 57 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 25 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm V5.6.exe"C:\Users\Admin\AppData\Local\Temp\Xworm-V5.6\Xworm V5.6.exe"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\erlfecrw\erlfecrw.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F245C886D174EC2854EA75BCCEFAD8.TMP"3⤵
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x4241⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\XClient.exe"C:\Users\Admin\Downloads\XClient.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8270d46f8,0x7ff8270d4708,0x7ff8270d47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16092609106682725650,17971491839018002118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:13⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
6KB
MD5c1b6ffdc4d8b971abe3804e19f5371b2
SHA10d0a3e792add2bd07b8947592fa12fcaef208c09
SHA256cdb314b4ae6eea45648d3cab6e3783af23b12836e5943a54688ab9b44364834d
SHA512918f7c09dc9e2ef3583e6ebee3e4b8464c8379e9f923f7c8f76247614b729943bd5e4b82d5f257b71be899ff621d297748be090585f0cb3ff009d961fdddb43b
-
Filesize
6KB
MD54ea77a84ab291b2589fb7a568e9eab32
SHA1efc6750051de3ad3c093f3e8be84009c572cc20d
SHA2566288d81ee90d62afed9c76b2f57b7f0eac70b125c4447269811f5f85c8a56161
SHA512c9510bedc2c7ae4970bce0f13b292ab1b857adaf5c2ca8d150991a2e81e689bc6d5a0f9ba8d5e27dec995f8b14c7e6bcc1045fd6bc0b7f0d12cfdc45664fe8bf
-
Filesize
5KB
MD5515c84586b5a27ecc578e8b5c72b3272
SHA174b28a9ceb6ceff8f229bb436678af66bb974cde
SHA2563ac550fee9e51efe9b9dc4458a5299c7e72b4daf6c94b0002d9bcefa8a1746f1
SHA512c577e9462abc7d80cd88da2f2a2427555ff6a99f7390186ce3a63c000c1a7c2d61c448963b6d9c2df2f5c902934ce6de992d1527dc8d68561eb7b180f294b280
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD58f0e8ece5b149aa5a5962e5fa68d44e8
SHA1686e60adc335a4355d02e3e841f0387ab8cb2895
SHA2568a0d88c1d4ef119121ba8389a13797f92915eb6dd1aca789f0bc6a26487626ce
SHA512d6f8325a2d436c14e0426f242221864eb6f998133be84a4612460c8d2c0b8c01440b40fa930bbf92b4e61a6b67e541b243e02218ee0563bd25cdcd976f83bbc7
-
Filesize
10KB
MD539fde644c79fb9fbac8537ea6a71a1c6
SHA1d466de3c653559fb69c2a360578845ff9a309879
SHA25697676473512752ee7a1825633ee5e603699adce1929d5a4f5d7ca45bf0ee421f
SHA5125f61da73444dc808e1b5d005644c08df6209302ee7c94befd30360eabd5f85a556d2720440b285994e5a9ec5fd6a5c22262ef98d1fbb90a890d5207bf646a34e
-
Filesize
1KB
MD53f51399ac5debe7a464d5816adab187d
SHA116fd143b948c0f7edc4d8acb5f58cbdec5d0ceab
SHA25686c98d51ba567ce217c9672b91aefccfa85493c4d4e6fb395303159df39d3657
SHA512da47a613026f17fe63faef670c51b845f0ea4f9448edcd898aec8e7e4ee1d404ad063d1a656a16981703759d364783948e55015b3dde62b3abc0bd0abda3e153
-
Filesize
78KB
MD5a1416839dbe9e15ca7a394a4e5c0e8f1
SHA1ad75b5c0e62c22abdf3f989ca21ca5ecc7eb799a
SHA256596637136400b208a9082b3847859f824529048291af5f25bc81e468437d738a
SHA512b54a66b4215aba3191d8c1d44022bfcd424f6989d7127d3bdc5a6b12b504c66c0bba6d960aec96210b34387c57830361729f03f48317462d760f478221da3b4f
-
Filesize
292B
MD5ee2360e1f7427298361695dd5ec40234
SHA1ccc8a84e9f3204b514518da166f7d9622383263f
SHA2567a4aa862d11562a37f39a6caa7b6570366eb45a7cb9bb266996ca6ecf57d9788
SHA512d456ade8288a023ca80458083878fdd362d248361184d79b12bade72266af777b3b1f689ca20c3ea627a67493ec07ce83603e4ce3bac5a55b5368fe64c4b5400
-
Filesize
1KB
MD5d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA25601902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA51248b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68
-
Filesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
Filesize
32KB
MD5a66f2aa21b0edb4daa093b5ecc488b46
SHA108ffad76c3598c8d8421adcf789ec4b71c5b86b3
SHA25613f6227a8c32e5d5798f402760127eaa9c7e79a833921a12ec57f443e29ef316
SHA51298e984859f3a0efd534d276ec6d449df4afeb8d030903a9e2bc6fb4f137b1e689cbf386affacbdc69180dbc729b74d837ee5b9bf7617b95609493bdfadc1561e
-
Filesize
16B
MD55cf7e4e8b879e040c712d3174699516e
SHA12b71b1909f32ece45b1ba55cde5d62d9739fd64c
SHA256068793f821868d5a010b77eff6ce226528bc3f76379beb83cdd941e9b14271dd
SHA512abda005ec559cfbc13577aac8253a3e9f4940c636ca4916c3d2ee4be5e4b3f924523e50c0dbfc856f51ae2a91b1cff3cf59c5d4b3bfda5f2ad8545291c1bc08c
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
2.9MB
-
Filesize
520KB
-
Filesize
8KB
-
Filesize
1.4MB
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
176KB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
14.9MB