Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/03/2025, 02:06
Static task
static1
Behavioral task
behavioral1
Sample
1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe
Resource
win7-20240903-en
General
-
Target
1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe
-
Size
295KB
-
MD5
570bc151bf5d20eea56d4ad306344238
-
SHA1
277af0f90afaa930f065b5d72a7fb06739031157
-
SHA256
1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a
-
SHA512
bb0671bf524a17130188a7790d29e89dba58900018ffa5b10d6945776e569e1dffad0c073ed9ab8abd2785509dc7e1fd78e4502b913e15762ffa7581f4458b4a
-
SSDEEP
1536:qg8buvyxUMWFKVwVp8M+MZZ/cPRXjqV6jZXsWxRGQ/EuRTxcLgfBZN0wpfMgn8Es:qv66xUTGLL0hJ7bbAvDYkYjUar
Malware Config
Extracted
xworm
5.0
185.7.214.108:4411
185.7.214.54:4411
Signatures
-
Detect Xworm Payload 7 IoCs
resource yara_rule behavioral1/files/0x00080000000164de-14.dat family_xworm behavioral1/memory/1804-15-0x0000000000A60000-0x0000000000A70000-memory.dmp family_xworm behavioral1/memory/2700-31-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral1/memory/2700-29-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral1/memory/2700-27-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral1/memory/2700-23-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral1/memory/2700-21-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Xworm family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1804 set thread context of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2700 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1804 wrote to memory of 1216 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 30 PID 1804 wrote to memory of 1216 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 30 PID 1804 wrote to memory of 1216 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 30 PID 1804 wrote to memory of 1216 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 30 PID 1216 wrote to memory of 2352 1216 csc.exe 32 PID 1216 wrote to memory of 2352 1216 csc.exe 32 PID 1216 wrote to memory of 2352 1216 csc.exe 32 PID 1216 wrote to memory of 2352 1216 csc.exe 32 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33 PID 1804 wrote to memory of 2700 1804 1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe"C:\Users\Admin\AppData\Local\Temp\1be3f3449a4fbe09203249d212c1abe8aead0d3e3ad9c499f0c0e9aaa76f198a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bpe4jjqa\bpe4jjqa.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC227.tmp" "c:\Users\Admin\AppData\Local\Temp\bpe4jjqa\CSC6C5C28EE1EE4459584E8F118484CB850.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d2a229b6682d7132cb17145a9088da1d
SHA1ca19d7547fd88de64b8faf88ebf5bf9a702e48fd
SHA256207c54ddc6ee4d56c96edbf14e53b90473fab9b3702a3a6832bbb2029380acad
SHA512ff3c5bfc19a124a3466dd7ba8eb329ba912ac51d12ef4a147feee3d9cc38a1a0bca966d43da7e0e22fd0c24868a2a6ec6e122c6584ca88ad5430980cf94f3fba
-
Filesize
41KB
MD5dc2239b97a7d007ee18eee65254fc4fd
SHA1017d0b26474bf94f01c5ba44d1d48dbd9dfbb739
SHA2568beeae6c69ebaeb2312b35ce2d873730531b8913ebce4112b6e63b33da5f01a3
SHA51251de043fde27016e369ac114295499c7bef14fb2410279e89fe7bd2dc0ff723ee68ebda687f3afdcd73aa15e6ccb14f8d0fbeb1f4714140359f2f64453052fd3
-
Filesize
652B
MD5b935aeb1fb65a2bc415393e9c1de6498
SHA1ed45a8cc7059fa4963f1077374308334f926482c
SHA2564011bd6228ddfbdbba1312d2352f4e34255545adf7de2bc7920b379f0ac6f973
SHA5126f45e8c73ab70c2ca53f02810b0f35452a0484074fa035f82b5d1534c7bfce7c46176574659e5334d9000582fd02d9b9f2c288360fcfad176afa05145b32fdfd
-
Filesize
101KB
MD5fcb83d623452e1cafbc3b0ad5b3b5b73
SHA1abc26af231584f50ca2ae6de25d4c4764eaf7a9f
SHA256d4e8ff661b3125613fadc869675cf7c01909b4d64d06344ab2b632ab7ba1e4cc
SHA51241a233e55bca274c0c3d2fe1c6474306cb17f273bc70e7b1224603b91d17314eb3709c2cbddf2e30d5caafb4b94eb18e8b7ea7d11b19612bf1b5fa80fa9dd3d8
-
Filesize
204B
MD50466caf94aea55c3f094acc25b022ec9
SHA1aa9d6d40330bdf5c2240514a857523aeecd1a6c3
SHA256dd444d6096d0bb494ec6c1286cb72d9e8f7fd27f1b221d3cb8b3d00ea9198e63
SHA512a3c92305e55a26dca7f52dc586742d3e6f31fe36ab30fb07d855d6daa8e5818a1ccdbfe148cbc8906f4ce28aabd89bb323c27f4c8b8d6049badfe4b5ecb574c9