Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/05/2024, 16:09 UTC
Static task
static1
General
-
Target
feather.exe
-
Size
166KB
-
MD5
fad02083c3a1d764db408e919d1430ef
-
SHA1
f0e36f0c51e259bb801c1b53767b4d2b70e62ac2
-
SHA256
f4cbcc2254e8b74d272b7148322a08159d4e4293fa825cb7547e319fff13ca8d
-
SHA512
108ed0ebf60ab3ba4b5ff9a39156278a13200b8854a5e520bca1a7e5a6ec04e674cd7633deb67657fbc32488a3d31490c4dd03ef14f541f906f067338646c56c
-
SSDEEP
3072:09AtuJ3r8fHevWOVj2VFPTUuRKNhzvpLXLTrfQVCaA0i:096uJ3rSpbPXRKNdpLXLTzQVCaA0
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
127.0.0.1:38173
epykvfetbqzwboxh
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000700000002a9a6-17.dat family_xworm behavioral1/memory/1756-26-0x0000000000AE0000-0x0000000000AFA000-memory.dmp family_xworm -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000002a970-6.dat family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 784 powershell.exe 964 powershell.exe 1748 powershell.exe 2200 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk XClient.exe -
Executes dropped EXE 2 IoCs
pid Process 1540 Client.exe 1756 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3124 timeout.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 1540 Client.exe 1540 Client.exe 964 powershell.exe 964 powershell.exe 1748 powershell.exe 1748 powershell.exe 2200 powershell.exe 2200 powershell.exe 784 powershell.exe 784 powershell.exe 1756 XClient.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe 1540 Client.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1540 Client.exe Token: SeDebugPrivilege 1756 XClient.exe Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 1756 XClient.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1540 Client.exe 1756 XClient.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1568 wrote to memory of 1540 1568 feather.exe 78 PID 1568 wrote to memory of 1540 1568 feather.exe 78 PID 1568 wrote to memory of 1756 1568 feather.exe 79 PID 1568 wrote to memory of 1756 1568 feather.exe 79 PID 1756 wrote to memory of 964 1756 XClient.exe 80 PID 1756 wrote to memory of 964 1756 XClient.exe 80 PID 1756 wrote to memory of 1748 1756 XClient.exe 82 PID 1756 wrote to memory of 1748 1756 XClient.exe 82 PID 1756 wrote to memory of 2200 1756 XClient.exe 84 PID 1756 wrote to memory of 2200 1756 XClient.exe 84 PID 1756 wrote to memory of 784 1756 XClient.exe 86 PID 1756 wrote to memory of 784 1756 XClient.exe 86 PID 1756 wrote to memory of 3008 1756 XClient.exe 88 PID 1756 wrote to memory of 3008 1756 XClient.exe 88 PID 1756 wrote to memory of 3840 1756 XClient.exe 91 PID 1756 wrote to memory of 3840 1756 XClient.exe 91 PID 1756 wrote to memory of 4912 1756 XClient.exe 93 PID 1756 wrote to memory of 4912 1756 XClient.exe 93 PID 4912 wrote to memory of 3124 4912 cmd.exe 95 PID 4912 wrote to memory of 3124 4912 cmd.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\feather.exe"C:\Users\Admin\AppData\Local\Temp\feather.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"3⤵
- Creates scheduled task(s)
PID:3008
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"3⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3124
-
-
-
Network
-
Remote address:8.8.8.8:53Request19.ip.gl.ply.ggIN AResponse19.ip.gl.ply.ggIN A147.185.221.19
-
Remote address:8.8.8.8:53Request19.221.185.147.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.16.208.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.227.14
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdcus08.centralus.cloudapp.azure.comonedscolprdcus08.centralus.cloudapp.azure.comIN A104.208.16.88
-
-
-
-
506 B 250 B 5 5
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
278 B 511 B 4 4
DNS Request
19.ip.gl.ply.gg
DNS Response
147.185.221.19
DNS Request
19.221.185.147.in-addr.arpa
DNS Request
14.227.111.52.in-addr.arpa
DNS Request
88.16.208.104.in-addr.arpa
-
218 B 428 B 3 3
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.227.14
DNS Request
self.events.data.microsoft.com
DNS Response
104.208.16.88
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
944B
MD5b26e5bedfb520c4c341b64a636b83fe1
SHA1991188792f4778e59ff166007bebc549107128dc
SHA25634836bf15fe6bf8a0903f9065338c160ea03b4f26d1217dd0c294fec4a7feafb
SHA512b93c4eb59fffdc7ba829442156b5af536d4865362a2abecef717ed92612e2e14c10a702f25bb2a1ed0b43dcdbd2e62ef7bfdf6d435c21fc06873d9a4642efd7b
-
Filesize
944B
MD5cef328ddb1ee8916e7a658919323edd8
SHA1a676234d426917535e174f85eabe4ef8b88256a5
SHA256a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
156B
MD56028d5fd1b35b081ae6ab06df998a3b7
SHA1dfb5de12aca5414adee65a09f0583270e9306f5c
SHA2565f9ee0a2f5ef0e070d0ff48a2e51e7d4db6693de221e0332d884fa089592650b
SHA5129a9ca4e9d6a9ebd45f5e1663064872a61b884dcb3b50c5f12d806e6b1d655c3b3e78ce1e3f04486dfea2c718bde99960d8caaf46cde2e4f7dfbf21b7cecf3c8e
-
Filesize
74KB
MD5f8ec02f0ad41f3e984037b398641f3bb
SHA188d64ad9840e65bcd5d27323a0fe2214d00d7346
SHA25612cdd3df8d582bc30a49c2b4f8cf96d522e0f01d64f2e7df17276dc89fdb1a75
SHA51231d177cceba0a3698f696c5daa0265ebe3fecf8a2a2934290e574789811a68c7313c1b0b40b1bae88666088c87fc9336941e10f26952a442c9cc3ca9637f5322
-
Filesize
75KB
MD574fcef65a288af74b2a36dd6895264f8
SHA1d5d73bb877f0aee6962f49c87603eec9d5b4846b
SHA256ed308d6d8768d98145916f4529e0b444058105f401acf1e01bdacadf39a637b1
SHA512c342445070326c126ae5841cc88a3cdcd2ae6bd995a37903ca6cacb517dc3ed7ada4c9fb7c020ad814824d2a5a29fd909da895c40475aec5ec6499778e25772a