Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

VelocitySu...ol.exe

windows7-x64

10

VelocitySu...ol.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2025, 04:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VelocitySupportTool.exe

  • Size

    10.1MB

  • MD5

    67462ee5d9b46994eeb4a4c17410a206

  • SHA1

    208514cd39b81476b31edbf2d56f6ef8e9e6870f

  • SHA256

    327e9385019706a31563b32a12a5cff31ca042078a0ccb8c9e668d1bd12a6497

  • SHA512

    ef551052fa54fdc2b7818f3dc6e6163a1301b413762ba69916347e3a4acfd2d9c3e878e732b66c05283f6c922f49a96a00bcd1655d7c2ba2ac363802efa78f94

  • SSDEEP

    196608:SgNsPPpW0RYeIeKkrAW4LQkhf+LYYlrlJQxSQcGKQ999uvqivV9CSxTcf7nL:RKhW0afk0ZLQkhfNYGdH999VivOYeLL

Score
10/10
xwormexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %port%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/k7RJ4RZQ

Extracted

Family

xworm

Version

5.0

Mutex

0PPzuWGEdxzyPz40

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/0AT3JnEx

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool.exe
    "C:\Users\Admin\AppData\Local\Temp\VelocitySupportTool.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
      "C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe
        "C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Users\Admin\AppData\Roaming\VelocityFix.exe
        "C:\Users\Admin\AppData\Roaming\VelocityFix.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\VelocityFix.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2776
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VelocityFix.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2644
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:320
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2272
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2080
    • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
      "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Users\Admin\AppData\Roaming\VelocitySupport.exe
        "C:\Users\Admin\AppData\Roaming\VelocitySupport.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1612
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {389CBD12-0EF5-4806-BCB3-281C4E66E6A2} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2424
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI17642\python313.dll
    Filesize

    5.8MB

    MD5

    501080884bed38cb8801a307c9d7b7b4

    SHA1

    881b250cc8f4fa4f75111ac557a4fde8e1e217af

    SHA256

    bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

    SHA512

    63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    2dd18644cce725061c81ab8d2726519d

    SHA1

    b7fdecb490517386596424986cf2df1b08106fca

    SHA256

    5d3e9b12f7f81ad1bcd9d96a5504fa7e66c75026defd43a490b9ef7992293590

    SHA512

    0fcd96866e38d30b9b9656890caed46e0020924b9809425c07d6ee2377ae2445746ba19eeeb2a6c0e32527054a8d60b255b4ebaa8f3bb1ea06e9d0f45635b348

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VelocityFix.exe
    Filesize

    39KB

    MD5

    53bfc0f8986b70724e4823f47241f6aa

    SHA1

    62e79122cea2f27e6f093fa484e5aa7795088ccc

    SHA256

    9286f18acfd1a8277f23da9a1079b571587c9bd5f28dbcff51845b933595426c

    SHA512

    5abbfbcc2e5cff491f4d213f4b83047f50e1de77d67631d510c7b540965c5f03a7611a0f1e79479d3a05a1e2f05fee6180b47ececc96c78f2e38ee5fa06430f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VelocitySupportTool.exe
    Filesize

    250KB

    MD5

    1904b43012a89c4ec5b3c82c7f7e313e

    SHA1

    3b0eedb1ba0bff205b9d099dd355091229007d04

    SHA256

    1446224da9810c06e7336730dab3811c39c8d1d4b200c4e7d568b1440b432f61

    SHA512

    c37e6bba9776516201c28367dcb541ac108a1def13d72eaf311800710c854a794835b7b92075e3b5d61ff3c500e1446004479065e418e3cb0dfb41963123a06e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VelocitySupportTools.exe
    Filesize

    103KB

    MD5

    3d47fe184f91ceb1bd0d4c213da5ebfa

    SHA1

    05ca3411a2b89f0c7884024f48b51e7574862992

    SHA256

    f0879c8017351b9cebbb546ea14f323ddb777cd97e435bb2de904ac28aa8525f

    SHA512

    1975ed404e30d674806a8209982cf5c81ec7b057178e5597195ca89d79406ddc1edcd25a3e6098e74ac5ce220e9a9975cb2bcbff4d2de8abfa7952c1902ff256

    Download Submit

  • \Users\Admin\AppData\Roaming\VelocitySupport.exe
    Filesize

    9.8MB

    MD5

    38c4223ac857cb56e3014d33c2062d05

    SHA1

    d32150012ab49dad1f1c7ad3b68b2e3c483f81f5

    SHA256

    cbcb51837d0ebd8fcae0dfa61ba516c103c34ca56a0aef400a2d14e9610cb43e

    SHA512

    f000154ce3e2fb06fc98d1cf8d867996c0fc2747aefc24a7d091a13443316396e24080aafffdb048de1b37ab360265afe7cee31ab07c7eb246e293b50c0edfa7

    Download Submit

  • memory/2036-1-0x0000000000AD0000-0x00000000014E4000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/2036-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2628-19-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-982-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2644-983-0x0000000002040000-0x0000000002048000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2664-20-0x0000000000FD0000-0x0000000000FF0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2704-18-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2704-7-0x00000000008C0000-0x0000000000904000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2712-1942-0x00000000012A0000-0x00000000012B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2776-975-0x000000001B7B0000-0x000000001BA92000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2776-976-0x0000000001E60000-0x0000000001E68000-memory.dmp

    Filesize

    32KB

    Download