Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
09/03/2025, 04:05
General
-
Target
VelocitySupportTool.exe
-
Size
10.1MB
-
MD5
67462ee5d9b46994eeb4a4c17410a206
-
SHA1
208514cd39b81476b31edbf2d56f6ef8e9e6870f
-
SHA256
327e9385019706a31563b32a12a5cff31ca042078a0ccb8c9e668d1bd12a6497
-
SHA512
ef551052fa54fdc2b7818f3dc6e6163a1301b413762ba69916347e3a4acfd2d9c3e878e732b66c05283f6c922f49a96a00bcd1655d7c2ba2ac363802efa78f94
-
SSDEEP
196608:SgNsPPpW0RYeIeKkrAW4LQkhf+LYYlrlJQxSQcGKQ999uvqivV9CSxTcf7nL:RKhW0afk0ZLQkhfNYGdH999VivOYeLL
Malware Config
Extracted
xworm
5.0
0PPzuWGEdxzyPz40
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/0AT3JnEx
Extracted
xworm
-
Install_directory
%port%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/k7RJ4RZQ
Signatures
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool.exe"C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe"C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\VelocityFix.exe"C:\Users\Admin\AppData\Roaming\VelocityFix.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VelocityFix.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VelocityFix.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
944B
MD5d7ffb133db0265ed6ea822452200baad
SHA17645c6456be00e61ac8f64b2d2d70e7d1bb787ac
SHA25689b73bb1dbe8fe5e028ed96158f5ae418b1e89856e70df2ddf10b1064cd0e029
SHA512d8892187b0141ec137aec1419a20ddfef0732cabf9b38c5c30e9291d92d3f6321b728d420524e2cb1dde4551312c668288926b514ed0b0faeb04842ff6433685
-
Filesize
117KB
MD5862f820c3251e4ca6fc0ac00e4092239
SHA1ef96d84b253041b090c243594f90938e9a487a9a
SHA25636585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA5122f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e
-
Filesize
84KB
MD5057325e89b4db46e6b18a52d1a691caa
SHA18eab0897d679e223aa0d753f6d3d2119f4d72230
SHA2565ba872caa7fcee0f4fb81c6e0201ceed9bd92a3624f16828dd316144d292a869
SHA5126bc7606869ca871b7ee5f2d43ec52ed295fa5c3a7df31dbd7e955ddb98c0748aff58d67f09d82edcde9d727e662d1550c6a9cf82f9cb7be021159d4b410e7cbc
-
Filesize
155KB
MD53e73bc69efb418e76d38be5857a77027
SHA17bee01096669caa7bec81cdc77d6bb2f2346608c
SHA2566f48e7eba363cb67f3465a6c91b5872454b44fc30b82710dfa4a4489270ce95c
SHA512b6850e764c8849058488f7051dcabff096709b002d2f427a49e83455838d62a9d3fc7b65285702de2b995858ed433e35a0c4da93c2d5ae34684bf624eb59fa6a
-
Filesize
66KB
MD5653b8194cafca1902f451fdd2563b770
SHA1701497c55588a9c2d63a3eb16651dd22d47140c2
SHA2566edeccc758733e44edaeff20e403ede9a782335f7bd80975697547087c32c5cc
SHA512671286359096a454338d1c371e576f24c6ae1eb6cbfbf7ddc0044dd2dc5d14f6aa0044c8112512839f6857eb70bcb98544b149b16392ca9ce09d207134644ccd
-
Filesize
5.8MB
MD5501080884bed38cb8801a307c9d7b7b4
SHA1881b250cc8f4fa4f75111ac557a4fde8e1e217af
SHA256bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749
SHA51263d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9
-
Filesize
1.8MB
MD53688caba94d9a1dc124df80aef41ac47
SHA166b314fc54b1d2475bfb655facacf8a8d6eacfed
SHA25631560ca3b0eec014013405e9652b9261824232883749f0461d7d4e5f7faea3ab
SHA512f3cd68e26f008b27370bd5222b6dafd8bb5f312a885db4e2f8f6502a719403263412f2aa7c8451b4ab7c59e674e3746710ce5a3c3c09f0cdb0266f82f226e9f4
-
Filesize
1.5MB
MD5d379810228b51c2571d9071eed3286b8
SHA1a643cda1683168e27a209b397d0eea7bc14c5103
SHA25634d402f3d6a237aac1165a010016ac032e0ae1a86dcfa03dda49ebfc0af40cad
SHA512f195c4d38f3e1d6853efae68ef50a2d3e70fc0f3840aa9aa2c1cddaec6a311e60cd86fc84dcdf0d4febf4d0e94bb89238c1408c5781302bbfaeafc613e10084a
-
Filesize
144KB
MD5de2e3379deeacbe476b9ee8ddeac7ffe
SHA1b112c267f5a6e3d06809896708d9ef9f7c118462
SHA25694675de9234f00e75c73e4973f8fb49a272a1df8003337205cd1b15fb642a168
SHA5120dbe2d131f41258c81e931bbc459051b26de488030a0ad20cb1d2d8ce8cce0a1ddd17a7049a2878368d7e535428bdc6c7886265f43be27fbc6aeed784080c93b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
39KB
MD553bfc0f8986b70724e4823f47241f6aa
SHA162e79122cea2f27e6f093fa484e5aa7795088ccc
SHA2569286f18acfd1a8277f23da9a1079b571587c9bd5f28dbcff51845b933595426c
SHA5125abbfbcc2e5cff491f4d213f4b83047f50e1de77d67631d510c7b540965c5f03a7611a0f1e79479d3a05a1e2f05fee6180b47ececc96c78f2e38ee5fa06430f2
-
Filesize
9.8MB
MD538c4223ac857cb56e3014d33c2062d05
SHA1d32150012ab49dad1f1c7ad3b68b2e3c483f81f5
SHA256cbcb51837d0ebd8fcae0dfa61ba516c103c34ca56a0aef400a2d14e9610cb43e
SHA512f000154ce3e2fb06fc98d1cf8d867996c0fc2747aefc24a7d091a13443316396e24080aafffdb048de1b37ab360265afe7cee31ab07c7eb246e293b50c0edfa7
-
Filesize
250KB
MD51904b43012a89c4ec5b3c82c7f7e313e
SHA13b0eedb1ba0bff205b9d099dd355091229007d04
SHA2561446224da9810c06e7336730dab3811c39c8d1d4b200c4e7d568b1440b432f61
SHA512c37e6bba9776516201c28367dcb541ac108a1def13d72eaf311800710c854a794835b7b92075e3b5d61ff3c500e1446004479065e418e3cb0dfb41963123a06e
-
Filesize
103KB
MD53d47fe184f91ceb1bd0d4c213da5ebfa
SHA105ca3411a2b89f0c7884024f48b51e7574862992
SHA256f0879c8017351b9cebbb546ea14f323ddb777cd97e435bb2de904ac28aa8525f
SHA5121975ed404e30d674806a8209982cf5c81ec7b057178e5597195ca89d79406ddc1edcd25a3e6098e74ac5ce220e9a9975cb2bcbff4d2de8abfa7952c1902ff256
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
10.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
272KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
164KB