Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
ExcellentFree.exe
Resource
win7-20240903-en
General
-
Target
ExcellentFree.exe
-
Size
343KB
-
MD5
1dada3e7f8778a0ded097e5f07acce8f
-
SHA1
378904782a01e891084e8bf4a1972c747e74776d
-
SHA256
1b6d0960335318a18ad8ac01f336918fdd385bb1002a9c001652f028f31f04b7
-
SHA512
3f4ad9f710e2654a52b2bdf88b63b6c1eadacd424996fb397fe983734fe4e405761c0e79fb4ff0c15240ee52d2b98c5bffc55f9934645a8ee851ff00c2b3771a
-
SSDEEP
6144:k0mlj5Nx1eN0wPZoZgMM6V2A1swXSCjYh/MjQX4amGVpOrPMDNJLANeUz/A8:+55X0N0wP6njeUjQoxdP8J8NeUzY8
Malware Config
Extracted
xworm
all-advocacy.gl.at.ply.gg:33270
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000d000000023c07-4.dat family_xworm behavioral2/memory/2904-23-0x00000000006E0000-0x00000000006FA000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation ExcellentFree.exe -
Executes dropped EXE 2 IoCs
pid Process 2904 ExcellentDll.exe 4668 ExLoader.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ExcellentFree.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2904 ExcellentDll.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4640 wrote to memory of 2904 4640 ExcellentFree.exe 87 PID 4640 wrote to memory of 2904 4640 ExcellentFree.exe 87 PID 4640 wrote to memory of 4668 4640 ExcellentFree.exe 88 PID 4640 wrote to memory of 4668 4640 ExcellentFree.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ExcellentFree.exe"C:\Users\Admin\AppData\Local\Temp\ExcellentFree.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\ExcellentDll.exe"C:\Users\Admin\AppData\Local\Temp\ExcellentDll.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\ExLoader.exe"C:\Users\Admin\AppData\Local\Temp\ExLoader.exe"2⤵
- Executes dropped EXE
PID:4668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD54183f8ec375a90742d38b1d69d136f92
SHA1a630ecdb41aaa0982fad2775dd6114d20a5e0081
SHA256ec8c87c21a99ec03772008304fe1a8a3261aa0beecafa7066c456069b66a33c6
SHA5125c23e9cfdadb4de5d57130d6fead4b072ee3034554d8ba17b0d8935eac75f8986f9648ca225ea3c10757fe888cc049634872ee0278953906a735f5242d8ac060
-
Filesize
75KB
MD5c22d02b0ac43ede0572dac548ea3e166
SHA14ca1b4302e08886c1b3cc0ed533642bf48437b73
SHA256b4737189544333094a24e88e3f31bf0965dfdd41b1742225ac8206591fcc71ea
SHA512cbb500699155bfd6fb52698e7c49dc6618b1a1db18235a8ad5fc40d9ed5c62731d2c5fdc3c62052d2e66b5b649506f9d4f36b9d873446a0566e4a11f084093eb