Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

feather.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/05/2024, 16:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    feather.exe

  • Size

    166KB

  • MD5

    fad02083c3a1d764db408e919d1430ef

  • SHA1

    f0e36f0c51e259bb801c1b53767b4d2b70e62ac2

  • SHA256

    f4cbcc2254e8b74d272b7148322a08159d4e4293fa825cb7547e319fff13ca8d

  • SHA512

    108ed0ebf60ab3ba4b5ff9a39156278a13200b8854a5e520bca1a7e5a6ec04e674cd7633deb67657fbc32488a3d31490c4dd03ef14f541f906f067338646c56c

  • SSDEEP

    3072:09AtuJ3r8fHevWOVj2VFPTUuRKNhzvpLXLTrfQVCaA0i:096uJ3rSpbPXRKNdpLXLTzQVCaA0

Score
10/10
asyncratxwormdefaultexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:38173

Mutex

epykvfetbqzwboxh

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
wNgkUAUz6PMjnIfcCkvjnmU6pJWaiNaG

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\feather.exe
    "C:\Users\Admin\AppData\Local\Temp\feather.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Roaming\Client.exe
      "C:\Users\Admin\AppData\Roaming\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1540
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:784
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3008
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
        3⤵
          PID:3840
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3124

    Network

    • flag-us
      DNS
      19.ip.gl.ply.gg
      XClient.exe
      Remote address:
      8.8.8.8:53
      Request
      19.ip.gl.ply.gg
      IN A
      Response
      19.ip.gl.ply.gg
      IN A
      147.185.221.19
    • flag-us
      DNS
      19.221.185.147.in-addr.arpa
      XClient.exe
      Remote address:
      8.8.8.8:53
      Request
      19.221.185.147.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      XClient.exe
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.16.208.104.in-addr.arpa
      XClient.exe
      Remote address:
      8.8.8.8:53
      Request
      88.16.208.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.227.14
    • flag-us
      DNS
      self.events.data.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprdcus08.centralus.cloudapp.azure.com
      onedscolprdcus08.centralus.cloudapp.azure.com
      IN A
      104.208.16.88
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 147.185.221.19:38173
      19.ip.gl.ply.gg
      XClient.exe
      506 B
       250 B
       5
      5
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 127.0.0.1:38173
      Client.exe
    • 8.8.8.8:53
      19.ip.gl.ply.gg
      dns
      XClient.exe
      278 B
       511 B
       4
      4

      DNS Request

      19.ip.gl.ply.gg

      DNS Response

      147.185.221.19

      DNS Request

      19.221.185.147.in-addr.arpa

      DNS Request

      14.227.111.52.in-addr.arpa

      DNS Request

      88.16.208.104.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      218 B
       428 B
       3
      3

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.227.14

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      104.208.16.88

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      05b3cd21c1ec02f04caba773186ee8d0

      SHA1

      39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

      SHA256

      911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

      SHA512

      e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      b26e5bedfb520c4c341b64a636b83fe1

      SHA1

      991188792f4778e59ff166007bebc549107128dc

      SHA256

      34836bf15fe6bf8a0903f9065338c160ea03b4f26d1217dd0c294fec4a7feafb

      SHA512

      b93c4eb59fffdc7ba829442156b5af536d4865362a2abecef717ed92612e2e14c10a702f25bb2a1ed0b43dcdbd2e62ef7bfdf6d435c21fc06873d9a4642efd7b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      cef328ddb1ee8916e7a658919323edd8

      SHA1

      a676234d426917535e174f85eabe4ef8b88256a5

      SHA256

      a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

      SHA512

      747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xii14lyk.nwc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat
      Filesize

      156B

      MD5

      6028d5fd1b35b081ae6ab06df998a3b7

      SHA1

      dfb5de12aca5414adee65a09f0583270e9306f5c

      SHA256

      5f9ee0a2f5ef0e070d0ff48a2e51e7d4db6693de221e0332d884fa089592650b

      SHA512

      9a9ca4e9d6a9ebd45f5e1663064872a61b884dcb3b50c5f12d806e6b1d655c3b3e78ce1e3f04486dfea2c718bde99960d8caaf46cde2e4f7dfbf21b7cecf3c8e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Client.exe
      Filesize

      74KB

      MD5

      f8ec02f0ad41f3e984037b398641f3bb

      SHA1

      88d64ad9840e65bcd5d27323a0fe2214d00d7346

      SHA256

      12cdd3df8d582bc30a49c2b4f8cf96d522e0f01d64f2e7df17276dc89fdb1a75

      SHA512

      31d177cceba0a3698f696c5daa0265ebe3fecf8a2a2934290e574789811a68c7313c1b0b40b1bae88666088c87fc9336941e10f26952a442c9cc3ca9637f5322

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XClient.exe
      Filesize

      75KB

      MD5

      74fcef65a288af74b2a36dd6895264f8

      SHA1

      d5d73bb877f0aee6962f49c87603eec9d5b4846b

      SHA256

      ed308d6d8768d98145916f4529e0b444058105f401acf1e01bdacadf39a637b1

      SHA512

      c342445070326c126ae5841cc88a3cdcd2ae6bd995a37903ca6cacb517dc3ed7ada4c9fb7c020ad814824d2a5a29fd909da895c40475aec5ec6499778e25772a

      Download Submit

    • memory/964-30-0x000002A3ACE20000-0x000002A3ACE42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1540-28-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1540-25-0x0000000000EA0000-0x0000000000EB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1540-84-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1568-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1568-1-0x0000000000090000-0x00000000000C0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1756-29-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1756-26-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1756-83-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.