Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/03/2025, 02:53
Static task
static1
Behavioral task
behavioral1
Sample
cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe
Resource
win7-20241010-en
General
-
Target
cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe
-
Size
1.1MB
-
MD5
c55c58e7938f01efa7800a4f3a649610
-
SHA1
ca995f8eee73f04bc8f5f3e8fc4bd470a8020524
-
SHA256
cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0
-
SHA512
1a8dc3ae6e86b8da13b8aab1743859c41b21d94f7c384a60d7bf7653f42d60717f84770b337c58438ddbe5e399cd37cee94ca013ca06d3979358bdba28439ed8
-
SSDEEP
24576:21qZoJIBlbtSwSu+BKDCIKAn0xHGVk2dkwbMy56yleaixn+mfiPhr8vg8/Bq:BWIpskZqGDRMMl2xn3iS7/o
Malware Config
Extracted
xworm
127.0.0.1:7777
door-predict.gl.at.ply.gg:7777
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000003cf2-17.dat family_xworm behavioral1/memory/2324-19-0x00000000009B0000-0x00000000009C6000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2312 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1480 fatality.exe 2324 security.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\security = "C:\\Users\\Admin\\AppData\\Local\\Temp\\security.exe" cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 2324 security.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3044 wrote to memory of 1480 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 30 PID 3044 wrote to memory of 1480 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 30 PID 3044 wrote to memory of 1480 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 30 PID 3044 wrote to memory of 1480 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 30 PID 3044 wrote to memory of 2312 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 31 PID 3044 wrote to memory of 2312 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 31 PID 3044 wrote to memory of 2312 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 31 PID 3044 wrote to memory of 2324 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 33 PID 3044 wrote to memory of 2324 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 33 PID 3044 wrote to memory of 2324 3044 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe"C:\Users\Admin\AppData\Local\Temp\cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"2⤵
- Executes dropped EXE
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\security.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\security.exe"C:\Users\Admin\AppData\Local\Temp\security.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5b5ae62edbf81a0dec30fedcc6d136245
SHA19f89cca56f20cb73503e068f5bb115fdda0cf272
SHA2565cd7137393dddb5cd41a55429871f443dcf6c2791eeaaade4fdb43f7a07c8865
SHA5123e525757ca541897e3766f73e53f21ac4ba1147ee33cc5df2117131808de8e6a3c576d8799e22dc3c76afe163102cc8517a3834388c1f06365e892a389166cc7
-
Filesize
63KB
MD5f329b3a2d6b8a4688e82ffe1c491b2ab
SHA1d06cab7d0ce6970807574569f4a3896ddd3d9ee7
SHA256e8b6648a1f94b9a9ea1d67db82812f08f5aaa7fd220d5574ba7e9e14dbcb06a0
SHA512cdc3056d11cfa9f34beee2a83dd861074076fec47e9b8a30a0e01eb92ee0ccca6b8376d58e578c15de720e5ea745da9fddbd3b0380995b237ad21a4dc1651dc6