Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/05/2024, 16:09 UTC

General

  • Target

    feather.exe

  • Size

    166KB

  • MD5

    fad02083c3a1d764db408e919d1430ef

  • SHA1

    f0e36f0c51e259bb801c1b53767b4d2b70e62ac2

  • SHA256

    f4cbcc2254e8b74d272b7148322a08159d4e4293fa825cb7547e319fff13ca8d

  • SHA512

    108ed0ebf60ab3ba4b5ff9a39156278a13200b8854a5e520bca1a7e5a6ec04e674cd7633deb67657fbc32488a3d31490c4dd03ef14f541f906f067338646c56c

  • SSDEEP

    3072:09AtuJ3r8fHevWOVj2VFPTUuRKNhzvpLXLTrfQVCaA0i:096uJ3rSpbPXRKNdpLXLTzQVCaA0

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:38173

Mutex

epykvfetbqzwboxh

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
wNgkUAUz6PMjnIfcCkvjnmU6pJWaiNaG

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\feather.exe
    "C:\Users\Admin\AppData\Local\Temp\feather.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Roaming\Client.exe
      "C:\Users\Admin\AppData\Roaming\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1540
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:784
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3008
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
        3⤵
          PID:3840
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3124

    Network

    • flag-us
      DNS
      19.ip.gl.ply.gg
      XClient.exe
      Remote address:
      8.8.8.8:53
      Request
      19.ip.gl.ply.gg
      IN A
      Response
      19.ip.gl.ply.gg
      IN A
      147.185.221.19
    • flag-us
      DNS
      19.221.185.147.in-addr.arpa
      XClient.exe
      Remote address:
      8.8.8.8:53
      Request
      19.221.185.147.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      XClient.exe
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.16.208.104.in-addr.arpa
      XClient.exe
      Remote address:
      8.8.8.8:53
      Request
      88.16.208.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.227.14
    • flag-us
      DNS
      self.events.data.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprdcus08.centralus.cloudapp.azure.com
      onedscolprdcus08.centralus.cloudapp.azure.com
      IN A
      104.208.16.88
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 147.185.221.19:38173
      19.ip.gl.ply.gg
      XClient.exe
      506 B
      250 B
      5
      5
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 8.8.8.8:53
      19.ip.gl.ply.gg
      dns
      XClient.exe
      278 B
      511 B
      4
      4

      DNS Request

      19.ip.gl.ply.gg

      DNS Response

      147.185.221.19

      DNS Request

      19.221.185.147.in-addr.arpa

      DNS Request

      14.227.111.52.in-addr.arpa

      DNS Request

      88.16.208.104.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      218 B
      428 B
      3
      3

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.227.14

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      104.208.16.88

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      05b3cd21c1ec02f04caba773186ee8d0

      SHA1

      39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

      SHA256

      911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

      SHA512

      e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      b26e5bedfb520c4c341b64a636b83fe1

      SHA1

      991188792f4778e59ff166007bebc549107128dc

      SHA256

      34836bf15fe6bf8a0903f9065338c160ea03b4f26d1217dd0c294fec4a7feafb

      SHA512

      b93c4eb59fffdc7ba829442156b5af536d4865362a2abecef717ed92612e2e14c10a702f25bb2a1ed0b43dcdbd2e62ef7bfdf6d435c21fc06873d9a4642efd7b

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      cef328ddb1ee8916e7a658919323edd8

      SHA1

      a676234d426917535e174f85eabe4ef8b88256a5

      SHA256

      a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

      SHA512

      747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xii14lyk.nwc.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat

      Filesize

      156B

      MD5

      6028d5fd1b35b081ae6ab06df998a3b7

      SHA1

      dfb5de12aca5414adee65a09f0583270e9306f5c

      SHA256

      5f9ee0a2f5ef0e070d0ff48a2e51e7d4db6693de221e0332d884fa089592650b

      SHA512

      9a9ca4e9d6a9ebd45f5e1663064872a61b884dcb3b50c5f12d806e6b1d655c3b3e78ce1e3f04486dfea2c718bde99960d8caaf46cde2e4f7dfbf21b7cecf3c8e

    • C:\Users\Admin\AppData\Roaming\Client.exe

      Filesize

      74KB

      MD5

      f8ec02f0ad41f3e984037b398641f3bb

      SHA1

      88d64ad9840e65bcd5d27323a0fe2214d00d7346

      SHA256

      12cdd3df8d582bc30a49c2b4f8cf96d522e0f01d64f2e7df17276dc89fdb1a75

      SHA512

      31d177cceba0a3698f696c5daa0265ebe3fecf8a2a2934290e574789811a68c7313c1b0b40b1bae88666088c87fc9336941e10f26952a442c9cc3ca9637f5322

    • C:\Users\Admin\AppData\Roaming\XClient.exe

      Filesize

      75KB

      MD5

      74fcef65a288af74b2a36dd6895264f8

      SHA1

      d5d73bb877f0aee6962f49c87603eec9d5b4846b

      SHA256

      ed308d6d8768d98145916f4529e0b444058105f401acf1e01bdacadf39a637b1

      SHA512

      c342445070326c126ae5841cc88a3cdcd2ae6bd995a37903ca6cacb517dc3ed7ada4c9fb7c020ad814824d2a5a29fd909da895c40475aec5ec6499778e25772a

    • memory/964-30-0x000002A3ACE20000-0x000002A3ACE42000-memory.dmp

      Filesize

      136KB

    • memory/1540-28-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

    • memory/1540-25-0x0000000000EA0000-0x0000000000EB8000-memory.dmp

      Filesize

      96KB

    • memory/1540-84-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

    • memory/1568-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

      Filesize

      8KB

    • memory/1568-1-0x0000000000090000-0x00000000000C0000-memory.dmp

      Filesize

      192KB

    • memory/1756-29-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

    • memory/1756-26-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

      Filesize

      104KB

    • memory/1756-83-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.