Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/03/2025, 03:00
Static task
static1
Behavioral task
behavioral1
Sample
eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe
Resource
win7-20240903-en
General
-
Target
eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe
-
Size
448KB
-
MD5
69a831d62d8eb89c3327538d23ea3532
-
SHA1
c0364914fffa90df86357489802599401b0712ec
-
SHA256
eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8
-
SHA512
21c3ca6b26bad70dff7e8c6dd26cdf89d0e311bcb6315505fc7ba068625ba8b4452dcd9ba3c714f68de7de5ed369e27b25e82438ad66fb327f1839c34a2a3877
-
SSDEEP
12288:tgmuiWCFstIScxuwu0iFsb9FYz6eEUFuYUgZ1jVDSFQx+:7uilFstIZMYiM923UgnDSFQx+
Malware Config
Extracted
lumma
Extracted
xworm
3.1
aC2Uqwxt1JZnqhmD
-
Install_directory
%Port%
-
install_file
explorer.exe
-
pastebin_url
https://pastebin.com/raw/jkeHBv0w
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00190000000055b1-49.dat family_xworm behavioral1/memory/2160-51-0x00000000002E0000-0x00000000002EE000-memory.dmp family_xworm -
Lumma family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2644 powershell.exe -
Executes dropped EXE 5 IoCs
pid Process 2548 Rimess.exe 2940 Nexol.exe 2868 Nexol.exe 2888 Nexol.exe 2160 Rimess.exe -
Loads dropped DLL 5 IoCs
pid Process 2940 Nexol.exe 2940 Nexol.exe 2736 WerFault.exe 2736 WerFault.exe 2736 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rimess = "C:\\Windows\\System32\\Rimess.exe" Rimess.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 5 pastebin.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Rimess.exe Rimess.exe File opened for modification C:\Windows\System32\Rimess.exe Rimess.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2940 set thread context of 2888 2940 Nexol.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2736 2940 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nexol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nexol.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2644 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2160 Rimess.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2548 1964 eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe 31 PID 1964 wrote to memory of 2548 1964 eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe 31 PID 1964 wrote to memory of 2548 1964 eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe 31 PID 1964 wrote to memory of 2940 1964 eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe 32 PID 1964 wrote to memory of 2940 1964 eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe 32 PID 1964 wrote to memory of 2940 1964 eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe 32 PID 1964 wrote to memory of 2940 1964 eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe 32 PID 2940 wrote to memory of 2868 2940 Nexol.exe 33 PID 2940 wrote to memory of 2868 2940 Nexol.exe 33 PID 2940 wrote to memory of 2868 2940 Nexol.exe 33 PID 2940 wrote to memory of 2868 2940 Nexol.exe 33 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2888 2940 Nexol.exe 34 PID 2940 wrote to memory of 2736 2940 Nexol.exe 35 PID 2940 wrote to memory of 2736 2940 Nexol.exe 35 PID 2940 wrote to memory of 2736 2940 Nexol.exe 35 PID 2940 wrote to memory of 2736 2940 Nexol.exe 35 PID 2548 wrote to memory of 2644 2548 Rimess.exe 36 PID 2548 wrote to memory of 2644 2548 Rimess.exe 36 PID 2548 wrote to memory of 2644 2548 Rimess.exe 36 PID 2548 wrote to memory of 2160 2548 Rimess.exe 38 PID 2548 wrote to memory of 2160 2548 Rimess.exe 38 PID 2548 wrote to memory of 2160 2548 Rimess.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe"C:\Users\Admin\AppData\Local\Temp\eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\Rimess.exe"C:\Users\Admin\AppData\Local\Temp\Rimess.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Rimess.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\Rimess.exe"C:\Windows\System32\Rimess.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\Nexol.exe"C:\Users\Admin\AppData\Local\Temp\Nexol.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\Nexol.exe"C:\Users\Admin\AppData\Local\Temp\Nexol.exe"3⤵
- Executes dropped EXE
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\Nexol.exe"C:\Users\Admin\AppData\Local\Temp\Nexol.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 5243⤵
- Loads dropped DLL
- Program crash
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
386KB
MD543aea8e19d79356c18c710a09c4cf39c
SHA1dc8e264847d5607fab57a0ba50c2f71dfd1276f0
SHA2569e9b5607d547d627e16c25511e0538f1ceb5f1c9c3e819d5653f8bea1081b0b2
SHA512a3f1a4c342bce7b344a1177217ce593e291cb0ae37c6371b2b45aab58ed301c555a9fac285119fdcc17c9087b6eec9dba0d9b5f7225757c4fcd19a20054d3e60
-
Filesize
29KB
MD5a9ea8b23eb527c0a03541d5f85ec8205
SHA149d3357d63f633dd3f85e0b651e230c9b3d496a1
SHA25641ba6c9a22b82e964837b99b974f6be09009d6f0dfdf32733a1380657ff84e0a
SHA5129aa39d7f53764080461142ab64c20d75e6a6f62f76c0acee9347341e45ef5217f4bf113671e088eca4dc312bef74b6278adea44fb590ad5abf98d1fa3b800d1a
-
Filesize
30KB
MD576cdbd5ca528f810989e4ccaf2f41a37
SHA15082ddba41cfebd186f246ce60b01d7c8a0ba469
SHA256d33db6a622c58b135f7a7bc5308751687b656cc7006d6d289c8b55292212bde2
SHA5120c94936a9140da807d20a4a6bfeb2778e7d72081427394a689a6c9140d49ce767044a174e99a686a6e54985028af6694b3489616cb799a04ef5b1c590ee68208