Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

VelocitySu...ol.exe

windows7-x64

10

VelocitySu...ol.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2025, 04:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VelocitySupportTool.exe

  • Size

    10.1MB

  • MD5

    67462ee5d9b46994eeb4a4c17410a206

  • SHA1

    208514cd39b81476b31edbf2d56f6ef8e9e6870f

  • SHA256

    327e9385019706a31563b32a12a5cff31ca042078a0ccb8c9e668d1bd12a6497

  • SHA512

    ef551052fa54fdc2b7818f3dc6e6163a1301b413762ba69916347e3a4acfd2d9c3e878e732b66c05283f6c922f49a96a00bcd1655d7c2ba2ac363802efa78f94

  • SSDEEP

    196608:SgNsPPpW0RYeIeKkrAW4LQkhf+LYYlrlJQxSQcGKQ999uvqivV9CSxTcf7nL:RKhW0afk0ZLQkhfNYGdH999VivOYeLL

Score
10/10
xwormexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %port%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/k7RJ4RZQ

Extracted

Family

xworm

Version

5.0

Mutex

0PPzuWGEdxzyPz40

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/0AT3JnEx

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool.exe
    "C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
      "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1376
      • C:\Users\Admin\AppData\Roaming\VelocityFix.exe
        "C:\Users\Admin\AppData\Roaming\VelocityFix.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VelocityFix.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VelocityFix.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1272
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2636
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2916
    • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
      "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2308
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {341ED9A1-FCB8-4FAC-859E-E830B36CD62F} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI28282\python313.dll
    Filesize

    5.8MB

    MD5

    501080884bed38cb8801a307c9d7b7b4

    SHA1

    881b250cc8f4fa4f75111ac557a4fde8e1e217af

    SHA256

    bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

    SHA512

    63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    a572e1de73460e3578a1aa4019663cc5

    SHA1

    3bd07dc8d51c0b110ac5f88d702593d880235aa0

    SHA256

    40160c26ff7aad6830d39337f7056298c0dd067d3e8ce71caa04f2b96060cd7c

    SHA512

    c88342bbb5d0f3b680bd09a8885417d4dcad181ade78747dff6575ba14ea3ee9ac5933ebff4a4fd996a55dc6f60b09b9676b0ef656bf8bddb2bfe8da647fe20d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VelocityFix.exe
    Filesize

    39KB

    MD5

    53bfc0f8986b70724e4823f47241f6aa

    SHA1

    62e79122cea2f27e6f093fa484e5aa7795088ccc

    SHA256

    9286f18acfd1a8277f23da9a1079b571587c9bd5f28dbcff51845b933595426c

    SHA512

    5abbfbcc2e5cff491f4d213f4b83047f50e1de77d67631d510c7b540965c5f03a7611a0f1e79479d3a05a1e2f05fee6180b47ececc96c78f2e38ee5fa06430f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
    Filesize

    250KB

    MD5

    1904b43012a89c4ec5b3c82c7f7e313e

    SHA1

    3b0eedb1ba0bff205b9d099dd355091229007d04

    SHA256

    1446224da9810c06e7336730dab3811c39c8d1d4b200c4e7d568b1440b432f61

    SHA512

    c37e6bba9776516201c28367dcb541ac108a1def13d72eaf311800710c854a794835b7b92075e3b5d61ff3c500e1446004479065e418e3cb0dfb41963123a06e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe
    Filesize

    103KB

    MD5

    3d47fe184f91ceb1bd0d4c213da5ebfa

    SHA1

    05ca3411a2b89f0c7884024f48b51e7574862992

    SHA256

    f0879c8017351b9cebbb546ea14f323ddb777cd97e435bb2de904ac28aa8525f

    SHA512

    1975ed404e30d674806a8209982cf5c81ec7b057178e5597195ca89d79406ddc1edcd25a3e6098e74ac5ce220e9a9975cb2bcbff4d2de8abfa7952c1902ff256

    Download Submit

  • \Users\Admin\AppData\Roaming\VelocitySupport.exe
    Filesize

    9.8MB

    MD5

    38c4223ac857cb56e3014d33c2062d05

    SHA1

    d32150012ab49dad1f1c7ad3b68b2e3c483f81f5

    SHA256

    cbcb51837d0ebd8fcae0dfa61ba516c103c34ca56a0aef400a2d14e9610cb43e

    SHA512

    f000154ce3e2fb06fc98d1cf8d867996c0fc2747aefc24a7d091a13443316396e24080aafffdb048de1b37ab360265afe7cee31ab07c7eb246e293b50c0edfa7

    Download Submit

  • memory/1272-982-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1272-983-0x0000000002000000-0x0000000002008000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1376-20-0x0000000000970000-0x0000000000990000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1632-23-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1632-7-0x0000000000350000-0x0000000000394000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2340-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-1-0x0000000000A90000-0x00000000014A4000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/2784-975-0x000000001B500000-0x000000001B7E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2784-976-0x0000000002810000-0x0000000002818000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2812-21-0x00000000000C0000-0x00000000000D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3240-1942-0x0000000000F80000-0x0000000000F90000-memory.dmp

    Filesize

    64KB

    Download