Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2025, 02:53
Static task
static1
Behavioral task
behavioral1
Sample
cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe
Resource
win7-20241010-en
General
-
Target
cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe
-
Size
1.1MB
-
MD5
c55c58e7938f01efa7800a4f3a649610
-
SHA1
ca995f8eee73f04bc8f5f3e8fc4bd470a8020524
-
SHA256
cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0
-
SHA512
1a8dc3ae6e86b8da13b8aab1743859c41b21d94f7c384a60d7bf7653f42d60717f84770b337c58438ddbe5e399cd37cee94ca013ca06d3979358bdba28439ed8
-
SSDEEP
24576:21qZoJIBlbtSwSu+BKDCIKAn0xHGVk2dkwbMy56yleaixn+mfiPhr8vg8/Bq:BWIpskZqGDRMMl2xn3iS7/o
Malware Config
Extracted
xworm
127.0.0.1:7777
door-predict.gl.at.ply.gg:7777
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001e64b-31.dat family_xworm behavioral2/memory/1112-40-0x0000000000130000-0x0000000000146000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2060 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe -
Executes dropped EXE 2 IoCs
pid Process 4892 fatality.exe 1112 security.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security = "C:\\Users\\Admin\\AppData\\Local\\Temp\\security.exe" cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fatality.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2060 powershell.exe 2060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 1112 security.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3428 wrote to memory of 4892 3428 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 89 PID 3428 wrote to memory of 4892 3428 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 89 PID 3428 wrote to memory of 4892 3428 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 89 PID 3428 wrote to memory of 2060 3428 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 90 PID 3428 wrote to memory of 2060 3428 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 90 PID 3428 wrote to memory of 1112 3428 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 96 PID 3428 wrote to memory of 1112 3428 cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe"C:\Users\Admin\AppData\Local\Temp\cffb99ed02ab35145c3ddc5e66f7f24b58d1a0e7714475f0370f71b9c51603c0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\security.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\security.exe"C:\Users\Admin\AppData\Local\Temp\security.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.0MB
MD5b5ae62edbf81a0dec30fedcc6d136245
SHA19f89cca56f20cb73503e068f5bb115fdda0cf272
SHA2565cd7137393dddb5cd41a55429871f443dcf6c2791eeaaade4fdb43f7a07c8865
SHA5123e525757ca541897e3766f73e53f21ac4ba1147ee33cc5df2117131808de8e6a3c576d8799e22dc3c76afe163102cc8517a3834388c1f06365e892a389166cc7
-
Filesize
63KB
MD5f329b3a2d6b8a4688e82ffe1c491b2ab
SHA1d06cab7d0ce6970807574569f4a3896ddd3d9ee7
SHA256e8b6648a1f94b9a9ea1d67db82812f08f5aaa7fd220d5574ba7e9e14dbcb06a0
SHA512cdc3056d11cfa9f34beee2a83dd861074076fec47e9b8a30a0e01eb92ee0ccca6b8376d58e578c15de720e5ea745da9fddbd3b0380995b237ad21a4dc1651dc6