Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

q2e132qweertgd.exe

windows7-x64

10

q2e132qweertgd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2025, 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    q2e132qweertgd.exe

  • Size

    54KB

  • MD5

    ce936711c2d764e67a57275d6d7b309c

  • SHA1

    df21d4952edb1d1e14153080fbe23a367e07660e

  • SHA256

    b6b4f3d76be11cba85b433e54f37181dc669422de50b3f9db049196d96e241c2

  • SHA512

    0f8c4e69b175df6cc9783d77741d0ceb5d578d8e738bebebcb9cad283ac933a49a90a6d4d61cd31c25193a1b4bf7d3ead83782ab8e2b30220bbeecaa8e5405d9

  • SSDEEP

    1536:7tp3RNRjAp+2hw1iKvkb9FAB/VOm4y3kn:7tp3RsGNvkb9UNOm43n

Score
10/10
xwormdiscoveryransomwarerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • pastebin_url

    https://pastebin.com/raw/64jXYT6E

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\q2e132qweertgd.exe
    "C:\Users\Admin\AppData\Local\Temp\q2e132qweertgd.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2100 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    57e9d662d228b47ed70a5e83f79db5b4

    SHA1

    6a096b8df629c0bfc7fe2c0bdaa51aa4b6b5822a

    SHA256

    eafec8f7d5c8e2563b86dae849d8533ce64cdf1e8db4ceedea44d1c0e4af8f90

    SHA512

    87155b1fa80b6fc1ad35123e68fffb1a5aaec20d221c7465143f83f54ea51fa7bf70d117043e2e9589ba7dca8de887739d5fcff2da6bb63fcbf4a258c792002b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7ee163055ff0202f2c41def303fcfcc8

    SHA1

    42af6e71eb8c5f2c1a094c7fb705b2dedef30efd

    SHA256

    c723377903b1b05fcc80373f336a692107d90975306b67fff98991ebf96249da

    SHA512

    68a5a0325cf0a8dadbf43dfffb63e209739e60eef7c8630bd1812b4ff98cdf25061dbfac71f37514133362bbff6ef6a1020d397f09eb0a64df8df545136f955d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4ee6cee5fda2c2a70dc5e1aa056cb747

    SHA1

    337accb185525993c4101ab086d4fad3d80f4ae9

    SHA256

    a74c257acb7a4e275819d5aeaef875f263009f6511fd20a6f1819cb0ffad9476

    SHA512

    b0f364c4fd0c39229ef13fe112e80026ee4bbc79a3e98c0c31c899fc506456b5450ba74d7902e759700cd390aa2b120ef2ffeb0c623c8d8ed41c2944329329be

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    92fe1da67d0f43ba46ac7a5d1994ca69

    SHA1

    604c50e74f5870b4bbd519d8088fd208fc4ff280

    SHA256

    ff223a432bec98dc5a763e1a0f522274e8e31404ec1c093b84ea47acca750513

    SHA512

    5b7618ce6fbd7b5bb2c18f35f47b5852578bc68aa6f9a04c6d038a0072f7941a668d66f2428ca0c7bc4aa689553a984f3c7d8e0be1aee27d0f1475863949dd7d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    0e50487354be9e9b72e3c339e6d7f3eb

    SHA1

    36518cff1e8d92330b715d34c43292418bfe1b61

    SHA256

    3a27c052e5b551c0e71188f558477f9889fee1751c02509f7367542317a6fc31

    SHA512

    80cb38c826eb32b7f7a8581ca096ec7b14b19362f0b5ef2a956ce2895005b391da1c928c42a03458ac143417b98de013cdee21755c0f24a7766a2005d2ce530f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ecbcad93534b1c4af92cd4143502f70e

    SHA1

    f2223af71cae45c5714111008c76c02e5814bf81

    SHA256

    a5a45f6a7a20eb6bdaf7c7493397e80be565f6576c930788bdafdec850cd35c7

    SHA512

    bfa505247eb48bbff17bc002a5a75d9942146f0804251510a126e65c7c5255caf9eafa4faf99413a21533cd9c9ff7204b4fe715e08d1f0549c9557f2694e5fe3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE208.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE2DA.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • C:\Users\Admin\Desktop\How To Decrypt My Files.html
    Filesize

    664B

    MD5

    d33bc4fe1d860aa7e0d7ae732024a57d

    SHA1

    9667801c9eeda0bf85d5966ed357827c758cb3bb

    SHA256

    70fe57e0a61a310b2ded214e22676ba9e2f1282358966fc9c814eaa030401e9c

    SHA512

    85c74331876f06549d96194b0c551731ee4bb04f43d7d33f0b67867f5ba23570f8406e660e5449b99cfd7d34eccea602a1555ee98fa2969c467295b7a1392ecc

    Download Submit

  • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
    Filesize

    16B

    MD5

    a315a618ca6af3ca9b043fdf40eda8b0

    SHA1

    2da72d5e6980b61338002205295e7a948464c1b6

    SHA256

    e0a56741d0d6c62de1f2ab7cc7f8065d652755154126f33880001f3524bf10ce

    SHA512

    de945896043f9f312c8c544ddb171ba980603ccc049385e024fc057be47b4f9ad5329dcc5c03a8196dce3298a7915e15e39fcec5b0f289c15cba2065699516c0

    Download Submit

  • memory/2420-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-166-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2420-5-0x00000000021B0000-0x00000000021BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2420-4-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2420-3-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2420-1-0x00000000009C0000-0x00000000009D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2420-645-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

    Filesize

    9.9MB

    Download