Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
24s -
platform
windows11-21h2_x64 -
resource
win11-20250218-en -
resource tags
arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/03/2025, 00:00
General
-
Target
Vmenu3.0.exe
-
Size
342KB
-
MD5
0ec2dd747aeeea47c1ded810d53944eb
-
SHA1
4dcc433eced401ae8ba0e96c6fd70296ae346093
-
SHA256
4fb3dd32a2120a0647add978ff93345f3116be9cb17c3640420ab0d8abd798bc
-
SHA512
c467826697415c97d5e57e3ae6b16746393eb02a859989c86386495b73b7f463c71e49043fc1d22bda36dca75319b3847345aca8141650655002b03a934fdb3c
-
SSDEEP
6144:rwWb4Jm7gw+GIIIIIIIhIIIIIIIIIIIIIIIU:Im7gT
Malware Config
Extracted
Family
xworm
C2
operates-vampire.with.playit.plus:4353
Attributes
-
Install_directory
%LocalAppData%
-
install_file
XClient2.0.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2568-1-0x0000000000380000-0x00000000003DC000-memory.dmp family_xworm -
Xworm family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2568 Vmenu3.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vmenu3.0.exe"C:\Users\Admin\AppData\Local\Temp\Vmenu3.0.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3820,i,5616534977014849087,11887380551757527862,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:141⤵PID:4040