Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

WizWorm v4...rm.exe

windows7-x64

10

WizWorm v4...rm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2025, 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WizWorm v4/WizWorm.exe

  • Size

    14.3MB

  • MD5

    0d7b4b1882f63bdd50b95c566d71ae14

  • SHA1

    fd44458018d9ba5beee8a67b7f22bb5c6e1f850d

  • SHA256

    4a095cf379d66c7123416fec489a8ef6b767fec71959e13714127d6c3bb41c06

  • SHA512

    97ad65c805be31d1d530077b4736ff4c844c51a2d4550e856933f08a328e4c74ecef7e22040a27e9a03509170c4bc780e26b0389cb57385d5217f56d68a7aeda

  • SSDEEP

    393216:q3vfM+4csPWDxmpDz05h8HpCLemOEkHh1og2CrVJCmvT:q3vfM+4cVm25hspRmIAWvH

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:5552

Mutex

X5iNfowLQbIX3fc7

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 47 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WizWorm v4\WizWorm.exe
    "C:\Users\Admin\AppData\Local\Temp\WizWorm v4\WizWorm.exe"
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fr1pt0lc\fr1pt0lc.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCDF2E0E033054A8CA86CC7EF493A6FDA.TMP"
        3⤵
          PID:1296
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2796
      • C:\Users\Admin\Desktop\WizClient.exe
        "C:\Users\Admin\Desktop\WizClient.exe"
        1⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:2356

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES55BE.tmp
        Filesize

        1KB

        MD5

        a1b97014d45ac960d4b0ecd902bee090

        SHA1

        059dd924867d48d636028d419268b8d72e5d2420

        SHA256

        d423ce6bf5417bc0fbb0a598648b6915b16ae03349ee36791da5b92aba9727fc

        SHA512

        ec275e61b02304796873c9e9938231596619d21aab8794514112c85e39182ab8aa0af1f2b67402cba5c908ca3e1794a8c7a51506f2a6b2466b2c1297771edd27

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fr1pt0lc\fr1pt0lc.0.vb
        Filesize

        73KB

        MD5

        3526da543f0ec0823257c95bea29e856

        SHA1

        7dc19d9b2a77e8480a084b36af53cff765bce2f3

        SHA256

        f679ac7c997e3c09905e9a2605cae6983b410d7af814e42f4e0f50e1c6bedc1d

        SHA512

        5523055176bb193f25cbd32486ad7b5fc3d689ab9bb264e6c4fd4043b5c50d24669b0163968949456cff79f8ae3f6baf9683a04e16d9015bfc9fc839bfb0ab40

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fr1pt0lc\fr1pt0lc.cmdline
        Filesize

        292B

        MD5

        90936564d915e55fc6dce4d511c0c0e3

        SHA1

        d8ee4d21bded71a90fc5eef7e2967fd71730beb0

        SHA256

        7afcc872a23c47b7cbe74ae3d69c3815a5f560e4b10cdc45f22c2d971693dba1

        SHA512

        9a87e897e771f4e72ce9d63b484114f0eab0a3b80f20e4e935e84379cfb597edaf4fead03bf25e4e092ee3c7cddfb3806068d21b90508704177ae3bbe7e86b36

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\vbcCDF2E0E033054A8CA86CC7EF493A6FDA.TMP
        Filesize

        1KB

        MD5

        85d473aaafaeafa39833a0adf1902ab4

        SHA1

        fd63bebbbbcc47d55520acc72548f78e8d6c4784

        SHA256

        9a8f53996a1dd339db9f03cf68a73abb1a80a7b09c2afc0a9f72b243a44256fb

        SHA512

        e6807073fffb95411365ee03fdaab041e7c91955361576e732595396f7b78606982bb4ac48e17a76d0f3812a125bb1e0aa9b3634e64d17eb0f336681246ea8d6

        Download Submit

      • C:\Users\Admin\Desktop\WizClient.exe
        Filesize

        30KB

        MD5

        c633277b60486103bc90b4372eef426c

        SHA1

        f4ebf09c04332b00feba34a3cfd7727a94f7d38f

        SHA256

        48866729fa1055d083d5a64bc20e563f4183dfe57cea586a9b417dd199089350

        SHA512

        4224de6db323d03e683dede6b4335ef6885f64faf6898e74a3118e6cd4e759d185fd97097b5f6556d733378dd7ded2dbfc6ed004378ca1fd815ddc72861558d4

        Download Submit

      • memory/2356-46-0x0000000000C20000-0x0000000000C2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2356-45-0x0000000000A80000-0x0000000000A8C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2356-39-0x0000000000D90000-0x0000000000D9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2724-9-0x0000000021440000-0x00000000214EA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/2724-8-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-12-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-13-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-16-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-17-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-18-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-19-0x0000000044FE0000-0x0000000044FF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2724-20-0x0000000022100000-0x0000000022268000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2724-10-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2724-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2724-11-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-5-0x000000001D8C0000-0x000000001DAB4000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2724-4-0x0000000000AA0000-0x0000000000AFC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2724-36-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-37-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-3-0x000000001C150000-0x000000001D342000-memory.dmp

        Filesize

        17.9MB

        Download

      • memory/2724-40-0x000000001BD00000-0x000000001BD2C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2724-41-0x0000000047070000-0x0000000047352000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2724-42-0x0000000045020000-0x00000000450A2000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2724-2-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2724-1-0x0000000000D90000-0x0000000001BEE000-memory.dmp

        Filesize

        14.4MB

        Download