Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 07:08

General

  • Target

    RustAnticheat.exe

  • Size

    1.1MB

  • MD5

    f6f5e5a1dd30fb5fa22f220ecbe1b05a

  • SHA1

    c04279611affa2129b36332b2f748b842cd0e7a7

  • SHA256

    5bf57a09e808187117a444d16d5145fe8cd5064aaecb383d16a1b0336fe618c4

  • SHA512

    730d5719d50148ae79a28d70f2cd102ba260560cdb141aad7d31066453f9ad6cfe8a36a46da9d162a122dec5a5d1685879a4f5b0adef48677daa7168717cb1ff

  • SSDEEP

    24576:32oxfnX+1FmWYQw00hlKAv65/9KlH8XbF1A/t30TuG/m+V54/6AH1Ba:3L5nXumWYCTsCKlcXbU/tjGg/6AV

Malware Config

Extracted

Family

xworm

C2

web-amend.gl.at.ply.gg:59501

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe
    "C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\Loader (1).exe
      "C:\Users\Admin\Loader (1).exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5064
    • C:\Users\Admin\RuntimeBroker.exe
      "C:\Users\Admin\RuntimeBroker.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\RuntimeBroker"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:404
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "RuntimeBroker"
        3⤵
          PID:4144
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9E0.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3356
      • C:\Users\Admin\Umbral1.exe
        "C:\Users\Admin\Umbral1.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2340
    • C:\Users\Admin\RuntimeBroker
      C:\Users\Admin\RuntimeBroker
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      6d3e9c29fe44e90aae6ed30ccf799ca8

      SHA1

      c7974ef72264bbdf13a2793ccf1aed11bc565dce

      SHA256

      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

      SHA512

      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      5cfe303e798d1cc6c1dab341e7265c15

      SHA1

      cd2834e05191a24e28a100f3f8114d5a7708dc7c

      SHA256

      c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

      SHA512

      ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      d8cb3e9459807e35f02130fad3f9860d

      SHA1

      5af7f32cb8a30e850892b15e9164030a041f4bd6

      SHA256

      2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

      SHA512

      045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ejw003i.uq4.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmpD9E0.tmp.bat

      Filesize

      146B

      MD5

      b5d4e44cf56134a76d98832e9f4923e8

      SHA1

      05a15f200af7bfdcd467fbfe286afa545438f388

      SHA256

      254ec6b271a5cd21728f41d92184d95790a38f0df0e94f9872fff097fb0fb033

      SHA512

      a674622d376a145282727f77cd084f7c7bff4cc098fc09d0f1ce69f81885c288e2aedca1203c72d47624b026ad8fd2600e84afda329c94ca77f8a9ce467a5ca4

    • C:\Users\Admin\Loader (1).exe

      Filesize

      827KB

      MD5

      eefb801774c5ccb44153268a9357f5f1

      SHA1

      b1906b22e14edd142c52808ab3e5ba9346b85de5

      SHA256

      677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

      SHA512

      1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

    • C:\Users\Admin\RuntimeBroker.exe

      Filesize

      83KB

      MD5

      ed27f16daba642c2bc917e75e3b8fbaa

      SHA1

      b9e31e9835d2ca4a0490665559aadaa4c9e48c64

      SHA256

      97fcd56746339d2e17bc5627c5827ad0e2e18e8a114c764a951299ea5f3a27fe

      SHA512

      e5cab1626ab9824eb91cd79650b34840c29f10eaeb37cfbe2e024b21edc43d056b6e2cbd1edc949407a09ef10f75f477e2567f68c98078cf70d78d16f598bc91

    • C:\Users\Admin\Umbral1.exe

      Filesize

      231KB

      MD5

      844f85b3c38478161c8918e2d23a4835

      SHA1

      d2da62e3f0c50ddb3cc510af88368143790d59b9

      SHA256

      8f3ba7ae0aea1ad543fd98a1cb574bada9d363d476e12ae7a332ea83967883b5

      SHA512

      96d4ccdd853a7f878d0409f4f39f4f8fdd6bdf7d086ccd665e8f9141cf9ebc2916d079838e599c67c86cddfd02262c14cee434622821a8550c0dbd87535c95c7

    • memory/1684-89-0x00000201B64C0000-0x00000201B6500000-memory.dmp

      Filesize

      256KB

    • memory/1684-97-0x00007FFA10840000-0x00007FFA11301000-memory.dmp

      Filesize

      10.8MB

    • memory/1684-94-0x00007FFA10840000-0x00007FFA11301000-memory.dmp

      Filesize

      10.8MB

    • memory/3316-93-0x00007FFA10840000-0x00007FFA11301000-memory.dmp

      Filesize

      10.8MB

    • memory/3316-91-0x0000000000210000-0x000000000022C000-memory.dmp

      Filesize

      112KB

    • memory/3316-149-0x00007FFA10840000-0x00007FFA11301000-memory.dmp

      Filesize

      10.8MB

    • memory/3316-159-0x00007FFA10840000-0x00007FFA11301000-memory.dmp

      Filesize

      10.8MB

    • memory/3424-0-0x00007FFA10843000-0x00007FFA10845000-memory.dmp

      Filesize

      8KB

    • memory/3424-1-0x0000000000B20000-0x0000000000C46000-memory.dmp

      Filesize

      1.1MB

    • memory/3992-100-0x000001C754100000-0x000001C754122000-memory.dmp

      Filesize

      136KB

    • memory/5064-98-0x0000000008D10000-0x0000000008D48000-memory.dmp

      Filesize

      224KB

    • memory/5064-99-0x0000000008CE0000-0x0000000008CEE000-memory.dmp

      Filesize

      56KB

    • memory/5064-92-0x0000000000580000-0x0000000000656000-memory.dmp

      Filesize

      856KB