Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    2699s
  • max time network
    2606s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/09/2024, 20:27

General

  • Target

    nursultan by batchgx.exe

  • Size

    31KB

  • MD5

    e769f83e9296311f3a8499b34819afc3

  • SHA1

    d70fddf8da48795ad84aa4fa75d681a1e2b06b9f

  • SHA256

    f0e916dd6769b273107a1b0ae92099825116083fe3a3e502e5582fac159046a3

  • SHA512

    c4749b93e9b8cff355f3fb79b2855c0558734887c606f8b4ac07b58d590323896d5e97c9e6aea58b7fe6d7f3ea375a6f9ec214fd25a646504693e62aada943ec

  • SSDEEP

    384:RWrVqCDweO/ace/VgFpLJPgwDs2ETIiJ5R+gtFqBLTiZw/WNCvK9IkVuwxOjhf/:ZzT55ePJ5ZFr9RdOjhf/3vY

Malware Config

Extracted

Family

xworm

Version

3.1

C2

budget-compiled.gl.at.ply.gg:61672

Mutex

clIqiypuJSXeSvTO

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nursultan by batchgx.exe
    "C:\Users\Admin\AppData\Local\Temp\nursultan by batchgx.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4C51.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1224
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4292
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1968
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3824
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GX304FV6\www.bing[1].xml

    Filesize

    2KB

    MD5

    1b190a6098129bfc8926c59d220d2941

    SHA1

    06d70e2978d8bc382d1f2eec6146952414b91977

    SHA256

    3e242fbf68dcd5a85bd705c314bd951a419a99447b554d76dd8273ecf47e4cfc

    SHA512

    a29bdff96c305eddde89a15339d0e1068890fd8f17d24623c7753ef19c5ebdb912ec476996a30d7dc01533474097b992e6b670a63e91b40c08620ab287fcabe6

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GX304FV6\www.bing[1].xml

    Filesize

    32KB

    MD5

    ea025a542e305ac6a27418489dce8b07

    SHA1

    b9452f84d089b7536b730b81de6bd6e0ad7c62de

    SHA256

    91a13588fe6cb0a6591953483ba945f19e0b78daf75bed56172736b3b38994fc

    SHA512

    d8d701fb0e3c53b3336c52e710f38a4733c268b9716c18894dfd14a7beaebe6b09fa54891c1f8acb12043cceefe7a76877350315185e71da93117fb8bac0304a

  • C:\Users\Admin\AppData\Local\Temp\tmp4C51.tmp.bat

    Filesize

    172B

    MD5

    015a70b35983fe0968f042799eea4caf

    SHA1

    47ccd45c75fe525244aabed9141cb32a23c1d772

    SHA256

    06326ef57e162486c549c94020337430b7633f988ae601b389a5cdd2dbd40c75

    SHA512

    71d20e1958886ccce887c28bfe4cefbc390c521ce65b9f75144fa7bccd50cb605fd3eef7a2fcd2b34b3d730201e46c69f4a1aaba124c75765a087578858d430f

  • memory/3132-1-0x00000000000E0000-0x00000000000EE000-memory.dmp

    Filesize

    56KB

  • memory/3132-6-0x00007FFAA0650000-0x00007FFAA1112000-memory.dmp

    Filesize

    10.8MB

  • memory/3132-7-0x00007FFAA0653000-0x00007FFAA0655000-memory.dmp

    Filesize

    8KB

  • memory/3132-8-0x00007FFAA0650000-0x00007FFAA1112000-memory.dmp

    Filesize

    10.8MB

  • memory/3132-17-0x00007FFAA0650000-0x00007FFAA1112000-memory.dmp

    Filesize

    10.8MB

  • memory/3132-0-0x00007FFAA0653000-0x00007FFAA0655000-memory.dmp

    Filesize

    8KB

  • memory/3824-44-0x000001F477F90000-0x000001F478090000-memory.dmp

    Filesize

    1024KB

  • memory/3824-52-0x000001F478E80000-0x000001F478F80000-memory.dmp

    Filesize

    1024KB

  • memory/3824-91-0x000001F478130000-0x000001F478150000-memory.dmp

    Filesize

    128KB

  • memory/3824-92-0x000001F478D60000-0x000001F478D80000-memory.dmp

    Filesize

    128KB

  • memory/3824-115-0x000001F4791F0000-0x000001F479210000-memory.dmp

    Filesize

    128KB

  • memory/3824-47-0x000001F4787A0000-0x000001F4787C0000-memory.dmp

    Filesize

    128KB

  • memory/3824-27-0x000001F4561A0000-0x000001F4562A0000-memory.dmp

    Filesize

    1024KB