Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cffb99ed02...c0.exe

windows7-x64

10

cffb99ed02...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2025, 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe

  • Size

    1.1MB

  • MD5

    c55c58e7938f01efa7800a4f3a649610

  • SHA1

    ca995f8eee73f04bc8f5f3e8fc4bd470a8020524

  • SHA256

    cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0

  • SHA512

    1a8dc3ae6e86b8da13b8aab1743859c41b21d94f7c384a60d7bf7653f42d60717f84770b337c58438ddbe5e399cd37cee94ca013ca06d3979358bdba28439ed8

  • SSDEEP

    24576:21qZoJIBlbtSwSu+BKDCIKAn0xHGVk2dkwbMy56yleaixn+mfiPhr8vg8/Bq:BWIpskZqGDRMMl2xn3iS7/o

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7777

door-predict.gl.at.ply.gg:7777
Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe
    "C:\Users\Admin\AppData\Local\Temp\cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\fatality.exe
      "C:\Users\Admin\AppData\Local\Temp\fatality.exe"
      2⤵
      • Executes dropped EXE
      PID:1480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\security.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Users\Admin\AppData\Local\Temp\security.exe
      "C:\Users\Admin\AppData\Local\Temp\security.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fatality.exe
    Filesize

    2.0MB

    MD5

    b5ae62edbf81a0dec30fedcc6d136245

    SHA1

    9f89cca56f20cb73503e068f5bb115fdda0cf272

    SHA256

    5cd7137393dddb5cd41a55429871f443dcf6c2791eeaaade4fdb43f7a07c8865

    SHA512

    3e525757ca541897e3766f73e53f21ac4ba1147ee33cc5df2117131808de8e6a3c576d8799e22dc3c76afe163102cc8517a3834388c1f06365e892a389166cc7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\security.exe
    Filesize

    63KB

    MD5

    f329b3a2d6b8a4688e82ffe1c491b2ab

    SHA1

    d06cab7d0ce6970807574569f4a3896ddd3d9ee7

    SHA256

    e8b6648a1f94b9a9ea1d67db82812f08f5aaa7fd220d5574ba7e9e14dbcb06a0

    SHA512

    cdc3056d11cfa9f34beee2a83dd861074076fec47e9b8a30a0e01eb92ee0ccca6b8376d58e578c15de720e5ea745da9fddbd3b0380995b237ad21a4dc1651dc6

    Download Submit

  • memory/2312-12-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2312-13-0x0000000001F80000-0x0000000001F88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2324-19-0x00000000009B0000-0x00000000009C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3044-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-1-0x000000013F0A0000-0x000000013F1C2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3044-6-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3044-20-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

    Filesize

    9.9MB

    Download