Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/05/2024, 16:09

General

  • Target

    feather.exe

  • Size

    166KB

  • MD5

    fad02083c3a1d764db408e919d1430ef

  • SHA1

    f0e36f0c51e259bb801c1b53767b4d2b70e62ac2

  • SHA256

    f4cbcc2254e8b74d272b7148322a08159d4e4293fa825cb7547e319fff13ca8d

  • SHA512

    108ed0ebf60ab3ba4b5ff9a39156278a13200b8854a5e520bca1a7e5a6ec04e674cd7633deb67657fbc32488a3d31490c4dd03ef14f541f906f067338646c56c

  • SSDEEP

    3072:09AtuJ3r8fHevWOVj2VFPTUuRKNhzvpLXLTrfQVCaA0i:096uJ3rSpbPXRKNdpLXLTzQVCaA0

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:38173

Mutex

epykvfetbqzwboxh

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\feather.exe
    "C:\Users\Admin\AppData\Local\Temp\feather.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Roaming\Client.exe
      "C:\Users\Admin\AppData\Roaming\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1540
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:784
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3008
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
        3⤵
          PID:3840
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      05b3cd21c1ec02f04caba773186ee8d0

      SHA1

      39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

      SHA256

      911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

      SHA512

      e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      b26e5bedfb520c4c341b64a636b83fe1

      SHA1

      991188792f4778e59ff166007bebc549107128dc

      SHA256

      34836bf15fe6bf8a0903f9065338c160ea03b4f26d1217dd0c294fec4a7feafb

      SHA512

      b93c4eb59fffdc7ba829442156b5af536d4865362a2abecef717ed92612e2e14c10a702f25bb2a1ed0b43dcdbd2e62ef7bfdf6d435c21fc06873d9a4642efd7b

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      cef328ddb1ee8916e7a658919323edd8

      SHA1

      a676234d426917535e174f85eabe4ef8b88256a5

      SHA256

      a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

      SHA512

      747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xii14lyk.nwc.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmpD12B.tmp.bat

      Filesize

      156B

      MD5

      6028d5fd1b35b081ae6ab06df998a3b7

      SHA1

      dfb5de12aca5414adee65a09f0583270e9306f5c

      SHA256

      5f9ee0a2f5ef0e070d0ff48a2e51e7d4db6693de221e0332d884fa089592650b

      SHA512

      9a9ca4e9d6a9ebd45f5e1663064872a61b884dcb3b50c5f12d806e6b1d655c3b3e78ce1e3f04486dfea2c718bde99960d8caaf46cde2e4f7dfbf21b7cecf3c8e

    • C:\Users\Admin\AppData\Roaming\Client.exe

      Filesize

      74KB

      MD5

      f8ec02f0ad41f3e984037b398641f3bb

      SHA1

      88d64ad9840e65bcd5d27323a0fe2214d00d7346

      SHA256

      12cdd3df8d582bc30a49c2b4f8cf96d522e0f01d64f2e7df17276dc89fdb1a75

      SHA512

      31d177cceba0a3698f696c5daa0265ebe3fecf8a2a2934290e574789811a68c7313c1b0b40b1bae88666088c87fc9336941e10f26952a442c9cc3ca9637f5322

    • C:\Users\Admin\AppData\Roaming\XClient.exe

      Filesize

      75KB

      MD5

      74fcef65a288af74b2a36dd6895264f8

      SHA1

      d5d73bb877f0aee6962f49c87603eec9d5b4846b

      SHA256

      ed308d6d8768d98145916f4529e0b444058105f401acf1e01bdacadf39a637b1

      SHA512

      c342445070326c126ae5841cc88a3cdcd2ae6bd995a37903ca6cacb517dc3ed7ada4c9fb7c020ad814824d2a5a29fd909da895c40475aec5ec6499778e25772a

    • memory/964-30-0x000002A3ACE20000-0x000002A3ACE42000-memory.dmp

      Filesize

      136KB

    • memory/1540-28-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

    • memory/1540-25-0x0000000000EA0000-0x0000000000EB8000-memory.dmp

      Filesize

      96KB

    • memory/1540-84-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

    • memory/1568-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

      Filesize

      8KB

    • memory/1568-1-0x0000000000090000-0x00000000000C0000-memory.dmp

      Filesize

      192KB

    • memory/1756-29-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB

    • memory/1756-26-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

      Filesize

      104KB

    • memory/1756-83-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

      Filesize

      10.8MB