Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 22:24
Static task
static1
Behavioral task
behavioral1
Sample
WindowsApp1.exe
Resource
win7-20240903-en
General
-
Target
WindowsApp1.exe
-
Size
118KB
-
MD5
0d19cad630767b9be69693ffa5c614da
-
SHA1
0a72a3d355e094bdc16f03dc9cc660e6031342b9
-
SHA256
376256408781bf18394e524a1c52b34bcb375289c13c75678069fa57cac0b6a8
-
SHA512
70854128254cea8bd233d2930f7fd285609a44997b96e326aee19b89defa3971bf70ffe4c8647ec207003aa88ec4186feca25383e707a9f85aa4988d082365e7
-
SSDEEP
1536:sQowX7LgxGY+lzyUFYEu5J/1JfSUoVZYYhyn/WR1z9P5PG7O4mRT+VsYs:leGY+lpk1SUoNEsv
Malware Config
Extracted
xworm
5.0
paul-nw.gl.at.ply.gg:51413
AVvzTAnLyW8qQCcO
-
Install_directory
%AppData%
-
install_file
kev.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000120ff-5.dat family_xworm behavioral1/memory/2644-9-0x0000000000810000-0x0000000000820000-memory.dmp family_xworm -
Xworm family
-
Executes dropped EXE 1 IoCs
pid Process 2644 .exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2644 .exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2644 2624 WindowsApp1.exe 30 PID 2624 wrote to memory of 2644 2624 WindowsApp1.exe 30 PID 2624 wrote to memory of 2644 2624 WindowsApp1.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD501f86862e5a3fab03f886eb19089da95
SHA18749ecbbac9f911deaee8d5530ef644ca0270258
SHA256ecfb4e772dd3be3c70e2833558b53c9352466ef193694a32a2a6e4926d810d81
SHA512c03771ab0e115c95c2af29f1ec3e331e90bac38074bd1eeda741a6e9f4f93d7cf55dd2a6354219886e50055730c10a363f264eeadcb2c06a1fd06a3670e41a86