Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
22/03/2025, 06:25
General
-
Target
09a344d3dad53e34501fb523f1c35f2f.exe
-
Size
85KB
-
MD5
09a344d3dad53e34501fb523f1c35f2f
-
SHA1
152917574da9739fe354e19ecf0bc24c68bac2bd
-
SHA256
a3cb2bc97c93afbd75583a7bf3eab46179ee7233ebebdc32c3e46b8fd062956d
-
SHA512
34930bb741f3d24e780f3bbe7821d20c3bdb0e11456da39e44abc0332b9068541170f4c6e244ed50abc22529cc2984b02734ffe209fd564ad4a393df42cdca80
-
SSDEEP
1536:j0nPVmOiyMChXYxrg94Ko//xNB/yim/1y1ejY6yFOBOXj9:4nvdPhXYxrg9zet/yjgf6yFOBMJ
Score
10/10
Malware Config
Extracted
Family
xworm
Version
3.1
C2
request-busy.gl.at.ply.gg:6728
Attributes
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\09a344d3dad53e34501fb523f1c35f2f.exe"C:\Users\Admin\AppData\Local\Temp\09a344d3dad53e34501fb523f1c35f2f.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB