Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

VuxaSpoofer.exe

windows7-x64

10

VuxaSpoofer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    50s
  • max time network
    49s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VuxaSpoofer.exe

  • Size

    3.6MB

  • MD5

    d4473f64014380bd2f087935d01e4cf4

  • SHA1

    39d009e253008ed76a65c76bcd55010b016638c1

  • SHA256

    7ad235452a11f0343fcf1def524d04800e591b13e40188cc1cf5be37e9628f36

  • SHA512

    27865bf8b587ee2b5da590ff72a510702591e52c2d8e377cf90b44e2a602ae5a6f605231506cbd65b41fa7c28df332e08aeca3fbb6ee0aea9c33540179e3ed34

  • SSDEEP

    98304:GLYNYcvh7hfw9An9todOS5J+ZkvtnpKLiFqI8wM/4v:GLw1hFfwMrQOS5fVnpKGFm/K

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

front-cad.gl.at.ply.gg:36514

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VuxaSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\VuxaSpoofer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\AppData\Roaming\Paid.exe
      "C:\Users\Admin\AppData\Roaming\Paid.exe"
      2⤵
      • Executes dropped EXE
      PID:2024
    • C:\Users\Admin\AppData\Roaming\Connect.exe
      "C:\Users\Admin\AppData\Roaming\Connect.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff40b046f8,0x7fff40b04708,0x7fff40b04718
      2⤵
        PID:4964
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
        2⤵
          PID:220
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1568
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
          2⤵
            PID:692
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
            2⤵
              PID:3180
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
              2⤵
                PID:1532
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
                2⤵
                  PID:2964
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
                  2⤵
                    PID:4420
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
                    2⤵
                      PID:2768
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4028
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
                      2⤵
                        PID:2624
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
                        2⤵
                          PID:3908
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12944809666354819482,6917536855156520238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
                          2⤵
                            PID:5284
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2920
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4936

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              0621e31d12b6e16ab28de3e74462a4ce

                              SHA1

                              0af6f056aff6edbbc961676656d8045cbe1be12b

                              SHA256

                              1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

                              SHA512

                              bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              56361f50f0ee63ef0ea7c91d0c8b847a

                              SHA1

                              35227c31259df7a652efb6486b2251c4ee4b43fc

                              SHA256

                              7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

                              SHA512

                              94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              00853a79e560fa08ef5272ed73cfb11b

                              SHA1

                              a0ca685f8c14750b365524ba4709458ce61319a5

                              SHA256

                              a0e8f0581fbbc1aeabd8c6a484a72a3ce68b4fdc1fa2725256fa8f3b181eff32

                              SHA512

                              074fdb24397b5290ae0966513b0706af43562cf4e229d5bccea4dedd240e35717c92dc5161db23dfc06b8ff88997512de59f3ef0053c53593748a364729b1304

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              4879bb19080fa943b8e1ca0a5d3877c9

                              SHA1

                              f240c66c6efdf4f046885fbcc54ced72dbcbe2df

                              SHA256

                              722bec0ebea163e8439d3639bb06bffa690de14642bda2e32a24f8a33cc902f4

                              SHA512

                              5caf555a081be6db3dc45761a1aebf0368755efa4dfe979cf4a659d5c76973d3df95c1f02feceda9491d3277f4e1e5065c6752d5ef39a0340ab65d4ba8b72440

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              1386beb889273b5a962868ad3c39a5be

                              SHA1

                              e9d16541588b113c005028ce28c764fd131e5da2

                              SHA256

                              bd58054c5466c461ca36c8d99f06d88761b6e56f8ea2d5dad3c2b863e34d8557

                              SHA512

                              7e944259f095c20e01c75b474e4bd5cdeec12f91f6751cf10526c337d1f8110edb72aea930ab210eb40ec2dd3ea77e0ff980d71aba61df01baa5025edbf7ce1e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Connect.exe
                              Filesize

                              89KB

                              MD5

                              580f966bca64e1838138589efb274ec3

                              SHA1

                              d4c22ee1fe9a76fa0f51c1e4d885116b831b9a57

                              SHA256

                              dba6845453995506c8bfcb417c0fbf741d07bb0484927167d1510f0bb3862686

                              SHA512

                              0f06f9f31cd9c5140e8a39324cdced94f4da866ec0a7fa39c4f87808aa551460de173413afea7ffe45775100cb4d4cdea8080448bdf25f47a3a1bf309751c090

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Paid.exe
                              Filesize

                              3.5MB

                              MD5

                              849e6926ec1d2ad952623ff4905b869b

                              SHA1

                              4e567998c13dec2ef1f07b2cbf6d642bc1f2468b

                              SHA256

                              09e8cbc8a6f433619866af77be8ee91c36ebb49aedac1de6f153d47d71e4ff26

                              SHA512

                              adc24c827245e4b159c7b219d0eddbea6b70039ec83bdf4169bc94d0f4701c249c82a17e553e401d9f62e8dd73d72d5877d86544c1c34b27428a3e206d584fd2

                              Download Submit

                            • memory/884-0-0x00007FFF40953000-0x00007FFF40955000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/884-1-0x0000000000440000-0x00000000007DA000-memory.dmp

                              Filesize

                              3.6MB

                              Download

                            • memory/3728-24-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3728-23-0x00007FFF40950000-0x00007FFF41411000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3728-22-0x0000000000A40000-0x0000000000A5C000-memory.dmp

                              Filesize

                              112KB

                              Download