Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

neverlose ...te.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    100s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/03/2025, 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    neverlose crack by waite.exe

  • Size

    17.8MB

  • MD5

    328a0860e1f40bc15be694a240b21348

  • SHA1

    a215baba2d1c8b3ccd8330eb7803483597067b58

  • SHA256

    351dd177e0a45db020ef0adc9cf1e31e74357c955107ca608edb07b9817353a1

  • SHA512

    4c4752697ca93b5dc28c60ff3c32f3fcb7f77b05e2d5c8e3f4ca1f1bdbe06dd8af385aafd17e450290f02944f875855a4a4d976b0a34653f9aba221ae935d542

  • SSDEEP

    1536:KqGrHEv1Om9VnhVlvIlBSPAeDbTvREEwhkDfFq6MzOFfs4ZKIhB4Yiw:LG7YBfhVV9AsbTvuvhkDgOFfk8B+w

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

very-stars.gl.at.ply.gg:23028

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    system64.exe

  • telegram

    https://api.telegram.org/bot7592133817:AAFoMe-c16pn4My7-EODEINEZeWZ2Milavo/sendMessage?chat_id=6723354517

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\neverlose crack by waite.exe
    "C:\Users\Admin\AppData\Local\Temp\neverlose crack by waite.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3520
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2336
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2076
    • C:\Users\Admin\AppData\Local\Temp\neverlose crack by waite.exe
      "C:\Users\Admin\AppData\Local\Temp\neverlose crack by waite.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2336-15-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-12-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-11-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-10-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-4-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-6-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-16-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-5-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-13-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2336-14-0x000001CC0F290000-0x000001CC0F291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3520-0-0x00007FF9CF4D3000-0x00007FF9CF4D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3520-1-0x00000000001C0000-0x00000000001F2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3520-3-0x00007FF9CF4D0000-0x00007FF9CFF92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3520-2-0x00007FF9CF4D0000-0x00007FF9CFF92000-memory.dmp

      Filesize

      10.8MB

      Download