Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/02/2025, 22:20
Static task
static1
General
-
Target
WindowsApp1.exe
-
Size
429KB
-
MD5
de84c2f70e940254c6f20374914f16c3
-
SHA1
da89ceb8dd760c9942f169a54be41253b5ae82e0
-
SHA256
e483ad11aa647df963c7656b5b8f086224d99c64e6effd57048866221a812ede
-
SHA512
ee289749f6e3ae35dbc500508c7eeb479d42e1e8b8521bbeafca98132b0f11695577f601d01159f3f56ebfbcba0a7d53425e840791151735e06d8ed7ffd16108
-
SSDEEP
12288:9pcgpEbHeW+pgHXp2lfY1Aq32fNuHgtss26qv:9pv4H6g3klhfqwss26
Malware Config
Extracted
xworm
5.0
paul-nw.gl.at.ply.gg:51413
AVvzTAnLyW8qQCcO
-
Install_directory
%AppData%
-
install_file
kev.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x001c00000002ae55-14.dat family_xworm behavioral1/memory/4304-23-0x0000000000F00000-0x0000000000F10000-memory.dmp family_xworm -
Xworm family
-
Executes dropped EXE 1 IoCs
pid Process 4304 .exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 132 WindowsApp1.exe Token: SeDebugPrivilege 4304 .exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 132 wrote to memory of 4304 132 WindowsApp1.exe 82 PID 132 wrote to memory of 4304 132 WindowsApp1.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:132 -
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD501f86862e5a3fab03f886eb19089da95
SHA18749ecbbac9f911deaee8d5530ef644ca0270258
SHA256ecfb4e772dd3be3c70e2833558b53c9352466ef193694a32a2a6e4926d810d81
SHA512c03771ab0e115c95c2af29f1ec3e331e90bac38074bd1eeda741a6e9f4f93d7cf55dd2a6354219886e50055730c10a363f264eeadcb2c06a1fd06a3670e41a86