Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

EC.exe

windows10-2004-x64

10

EC.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    135s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250218-en
  • resource tags

    arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/03/2025, 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EC.exe

  • Size

    606KB

  • MD5

    a360792e294edd8b69a58abf9792e0ab

  • SHA1

    92d7bf026f2690e0955ad40a06450478e2a2169f

  • SHA256

    e1969f5cf0a443b9d7416122f6a93da6847abe2a6f098c4088cc93aa0ff54324

  • SHA512

    991fa53dbede43a38acf1d1ddf575add1e26cd78b5ae517ca68148e5f3d8087b0261695744482ba2f6f30fcdad7be6b555bae5ae73ed07f099a55e11bda26cb7

  • SSDEEP

    12288:ylebH7ETMiQU1mTUBF8YcjXuQwYVl6ai/emTUBjO3AWQlOrRFR:ylM7Ezv8YczuQTlFi/eQmO3AGrRFR

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

2.58.56.237:53

Attributes
  • Install_directory

    %AppData%

  • install_file

    Svhost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EC.exe
    "C:\Users\Admin\AppData\Local\Temp\EC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Users\Admin\AppData\Roaming\Cheat-Made-by-Covllld;).exe
      "C:\Users\Admin\AppData\Roaming\Cheat-Made-by-Covllld;).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1100
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4412,i,15097001321230888692,16543789583043501740,262144 --variations-seed-version --mojo-platform-channel-handle=3316 /prefetch:14
    1⤵
      PID:1484
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:1544
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Windows\system32\svchost.exe
        "C:\Windows\system32\svchost.exe"
        2⤵
          PID:3036
        • C:\Windows\system32\wininit.exe
          "C:\Windows\system32\wininit.exe"
          2⤵
            PID:1008
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3344,i,15097001321230888692,16543789583043501740,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:14
          1⤵
            PID:2580

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\de11d060-2a00-427b-b7ae-bf83545d81d8.down_data
            Filesize

            555KB

            MD5

            5683c0028832cae4ef93ca39c8ac5029

            SHA1

            248755e4e1db552e0b6f8651b04ca6d1b31a86fb

            SHA256

            855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

            SHA512

            aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Cheat-Made-by-Covllld;).exe
            Filesize

            520KB

            MD5

            51a539469ad26aa790469eda6863133b

            SHA1

            b8b3101384192da1d2a4a4475bbddd67a487b621

            SHA256

            3d09d48543c6b5ec47551237974af3de97528c8f5223f23a93830c0f4f8d7971

            SHA512

            29b7cd9823a97f2587c4fd54119fcb536daa68c74a5a0bd16d00d96921a43833f4c66146202509d8e9cd5ce48e62e7a8af2ad8b346794e14083460fed42ab9df

            Download Submit

          • C:\Users\Admin\AppData\Roaming\XClient.exe
            Filesize

            72KB

            MD5

            2c5da7d66b8db9b983dd5ee0e1b40bd6

            SHA1

            3c10875859a68bbef32c93035ac54a7cd9bd44ff

            SHA256

            ba633233cd70a59416eede6d0036f89fc8ebcbe14f2079076ccf78749f9de087

            SHA512

            f06f47540e0d2404aae7605926b4bec68b7f3f45cf4d77e4aa141632eadcdbd2a6517c64f97842f772a9a8cb5a3283e245992e8085c931935cb3f92aabb44686

            Download Submit

          • memory/2284-0-0x00007FFAA5493000-0x00007FFAA5495000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2284-1-0x0000000000860000-0x00000000008FE000-memory.dmp

            Filesize

            632KB

            Download

          • memory/3060-22-0x0000000000940000-0x0000000000958000-memory.dmp

            Filesize

            96KB

            Download

          • memory/3060-23-0x00007FFAA5490000-0x00007FFAA5F52000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3060-24-0x00007FFAA5490000-0x00007FFAA5F52000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5084-32-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-31-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-33-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-39-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-37-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-38-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-43-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-42-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-41-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5084-40-0x000001C8D8660000-0x000001C8D8661000-memory.dmp

            Filesize

            4KB

            Download