Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

ModifiedIn...pt.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    25s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ModifiedInjectedScript.ps1

  • Size

    245KB

  • MD5

    fbd0c3840741789fbd9134bc238ef0bf

  • SHA1

    484099f778d8e06fc7c85dd07722ce6a66e5263c

  • SHA256

    f0a686f2fa59128abb1a1864a35ca6eddb07e907f342e7e242cdd97be8ab9d1a

  • SHA512

    b521579d79ca422fb001ec5bf659fd46db100513c6f01a13eb0dba972f2abe737772e2934805920e56aa2f9bbc1efedbcd3e9da160c869cc97f63b46a2a32429

  • SSDEEP

    1536:CBLDlZMXoSumX+Kh2g5Im01XS76UgWYtvEdoSmNHfmZ26zgEPGtkkhZlNkTD5lUc:CNxvXQP2l80c6MJZs5clpY9GmOPdJ

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ModifiedInjectedScript.ps1
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qknb5mkr\qknb5mkr.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE41.tmp" "c:\Users\Admin\AppData\Local\Temp\qknb5mkr\CSC2CB85A5DAD2D4F229F175BF6161CBA6.TMP"
          4⤵
            PID:2712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Explorer.EXE'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3872
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Explorer.EXE'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      556084f2c6d459c116a69d6fedcc4105

      SHA1

      633e89b9a1e77942d822d14de6708430a3944dbc

      SHA256

      88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

      SHA512

      0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d336b18e0e02e045650ac4f24c7ecaa7

      SHA1

      87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

      SHA256

      87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

      SHA512

      e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d3e9c29fe44e90aae6ed30ccf799ca8

      SHA1

      c7974ef72264bbdf13a2793ccf1aed11bc565dce

      SHA256

      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

      SHA512

      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESAE41.tmp
      Filesize

      1KB

      MD5

      f223c376c2426090012d00fffc89d892

      SHA1

      3b3ae37b104eef5b5eac193b53a4aca4f6203010

      SHA256

      e8e7b5908b6a7b1bfdedee42be504c3cf37884569438282849faa62aad2cf46b

      SHA512

      6649e31c1212d4b99081fe8b5982cd3fea8d6a76c05856526bfc38a5a751c5477562a68d2ce13df9647882c4402cca650b1eddcd2003ee91614f0067097bd2ce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vssyr24a.2nv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qknb5mkr\qknb5mkr.dll
      Filesize

      3KB

      MD5

      22ccf0894bb01c08f8d9c7b8c61a1273

      SHA1

      4b94c72fb4c2886d70a630b541f433df05e8b831

      SHA256

      d470c7bf8650ec2b11139103f1bfce344ffe227c080796148d47a89d3b602b42

      SHA512

      d13d9c3858a35e6c1ac7c88cb04489382ea7d09b60a474bbf8334ca1b576d09211839357fca42e2128083d466d9d5cddd84732d4fc91dee50f898067eaf319d2

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\qknb5mkr\CSC2CB85A5DAD2D4F229F175BF6161CBA6.TMP
      Filesize

      652B

      MD5

      5aa90e84aef80d17ced9dd787f7cd409

      SHA1

      da28674119f75997b937887b9fc50f2901f784ae

      SHA256

      e6967de5eb9aaebe620ba561d696aef67b1d43b9dbb4a4f1895aaebdfba01742

      SHA512

      2fff23fcc8cb072eb7052e3525361539c7b43c5d21f55298961658935ef7ce8949ebefd2928bdb39d45bd0d80e51c92ec5dd88ea387976fb2eb7777c7a15df5e

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\qknb5mkr\qknb5mkr.0.cs
      Filesize

      1KB

      MD5

      a4fef4759647eadc277a4ee8b396f836

      SHA1

      fa76fe82aad72a7e94add1ef80fb64798de5ee58

      SHA256

      49ac01fa1eb4fc3c8e58569c2ed930dcbbb24bac902a58c4ce0539f91186079f

      SHA512

      7702b8220809f8f65d6e164a40dae5914d12bd1fce0ed256256310f3670419ef33407d42071da6305bd74168a013f0953f4a43d2459decc8b702682e2a32b54c

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\qknb5mkr\qknb5mkr.cmdline
      Filesize

      369B

      MD5

      c7ca0bcd1eac8378c1c33165073d9ed1

      SHA1

      92b5d3043114005a4ed830269991180786e2dafe

      SHA256

      a7375c8a8b1edb9f4137b8d0e90b8af9a78ef0324a741848e2586b72c6e75115

      SHA512

      c8d5c2f22a1ece03645fc5e3b3cb64c0961fc741090700703817581ca73f137e43a432bb65073bb3524be8626f7accc885f81b00c87992bb4cee432b888ed16d

      Download Submit

    • memory/1860-28-0x00007FFD204F0000-0x00007FFD20FB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1860-34-0x00007FFD204F0000-0x00007FFD20FB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1860-6-0x0000029171D30000-0x0000029171D52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1860-0-0x00007FFD204F3000-0x00007FFD204F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1860-29-0x000002916F680000-0x000002916F690000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1860-11-0x00007FFD204F0000-0x00007FFD20FB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1860-12-0x00007FFD204F0000-0x00007FFD20FB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1860-25-0x0000029171A00000-0x0000029171A08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3416-35-0x00007FFD204F0000-0x00007FFD20FB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3416-36-0x00007FFD204F0000-0x00007FFD20FB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3416-31-0x0000000007370000-0x0000000007386000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3416-30-0x00007FFD204F3000-0x00007FFD204F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3416-27-0x0000000002AA0000-0x0000000002AB7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3416-60-0x00007FFD204F0000-0x00007FFD20FB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3416-61-0x00007FFD204F0000-0x00007FFD20FB1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3416-62-0x0000000008520000-0x000000000852C000-memory.dmp

      Filesize

      48KB

      Download