Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/11/2024, 21:55
Static task
static1
General
-
Target
output_script.ps1
-
Size
60KB
-
MD5
d2c91090b3463475fa41bb45e31955da
-
SHA1
e8caae205de7a85b3857a93516ef60ce9d3fb2ba
-
SHA256
8abfafa85a7109f7a6b5c010333fe1aa4a9feac5c225a4e7dd87e7ac09efe271
-
SHA512
ad155fcefd2c3b9df6fabd14ebfaf4e8d73648aa69ee01dfd90c188faa17bf5a0c011049ca3702d77c49a0d770fc288dce7e970173876714d00967bbb627f2fa
-
SSDEEP
1536:rqzkCPZcgt/fREZ1J5k4rX5uyC+ZgwiHNv+xYEnR6/q:rufnhtvy6S
Malware Config
Extracted
xenorat
195.88.218.66
Loli
-
delay
5000
-
install_path
appdata
-
port
30101
-
startup_name
Edge
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral1/files/0x001d00000002aa81-17.dat family_xenorat behavioral1/memory/2292-27-0x0000000000090000-0x00000000000A2000-memory.dmp family_xenorat -
Xenorat family
-
Executes dropped EXE 2 IoCs
pid Process 2292 output.exe 1956 output.exe -
pid Process 816 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language output.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language output.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1480 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 816 powershell.exe 816 powershell.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe 1956 output.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 1956 output.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 816 wrote to memory of 2292 816 powershell.exe 81 PID 816 wrote to memory of 2292 816 powershell.exe 81 PID 816 wrote to memory of 2292 816 powershell.exe 81 PID 2292 wrote to memory of 1956 2292 output.exe 82 PID 2292 wrote to memory of 1956 2292 output.exe 82 PID 2292 wrote to memory of 1956 2292 output.exe 82 PID 1956 wrote to memory of 1480 1956 output.exe 83 PID 1956 wrote to memory of 1480 1956 output.exe 83 PID 1956 wrote to memory of 1480 1956 output.exe 83
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\output_script.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\output.exe"C:\Users\Admin\AppData\Local\Temp\output.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Roaming\XenoManager\output.exe"C:\Users\Admin\AppData\Roaming\XenoManager\output.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Edge" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6EA.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1480
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
45KB
MD549d0f623149c8d958c5772ebde52caa4
SHA1c1216fb078bcd33ce5ae4784173f02b370369219
SHA2560bffbaa3d1a3d13e9eb070f3eb26ae390a5fab1443738a62131a898db115252b
SHA512cb35a1a4df0285bae1a391237fad40fb60bdba33f041dd7a38ee52fcff8e0ebcc35f711b3408e08f417103ca062b76c8773c4625f101ea88ec1c4e5163ac7dd7
-
Filesize
1KB
MD59a78186dc0e3f60133fc3d9bb40f86aa
SHA110bd7cc4c2130813ec50c0001320c84cf3b0f796
SHA256ebc35e891f01846eca3153f7b7edf791c7638027acf9b9b3a9e519f7f8169d7e
SHA5125fd3cde809ac82c38d4f4b9203c7f02d008574f85826542e50a05d026d5274c541b96523f5774ac519ac3aae371b1b42fd94212ddbf5de1ad9de1b27b563a59c