Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 19:13
Behavioral task
behavioral1
Sample
22222222.exe
Resource
win10v2004-20231023-en
General
-
Target
22222222.exe
-
Size
43KB
-
MD5
28bcf32fcb318339dd64c8ffbda36b92
-
SHA1
6d1f7481ab5c4bd19df3ad2d36912e1e42bb1e6c
-
SHA256
1b1611bfa2f8c3e714cb95a98bf4f565fe197432703993de521152208da6cd01
-
SHA512
23ed60a39b347e375e5ebb47a4dc5bca725772c8ecb3b5986ef71a7523be23f4bc5f05351583430475d5af8515d306b162ec1fd44d06bf1d2286b0eff20d2cbb
-
SSDEEP
768:SJ3a5ocRaQStXXq72sa+B0FFRPM9Wq6ZOChLvubWaT:Ca5orrda9GF69Wq6ZOCN2qaT
Malware Config
Extracted
xworm
5.0
16.ip.gl.ply.gg:59701
xtdPQVbeoiyzoNhe
-
Install_directory
%LocalAppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/3608-0-0x0000000000F70000-0x0000000000F82000-memory.dmp family_xworm behavioral1/files/0x000d000000022cc4-75.dat family_xworm behavioral1/files/0x000d000000022cc4-76.dat family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation 22222222.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk 22222222.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk 22222222.exe -
Executes dropped EXE 1 IoCs
pid Process 3408 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\XClient.exe" 22222222.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3048 powershell.exe 3048 powershell.exe 2160 powershell.exe 2160 powershell.exe 4668 powershell.exe 4668 powershell.exe 4084 powershell.exe 4084 powershell.exe 3608 22222222.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3608 22222222.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeDebugPrivilege 4084 powershell.exe Token: SeDebugPrivilege 3608 22222222.exe Token: SeDebugPrivilege 3408 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3608 22222222.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3608 wrote to memory of 3048 3608 22222222.exe 89 PID 3608 wrote to memory of 3048 3608 22222222.exe 89 PID 3608 wrote to memory of 2160 3608 22222222.exe 93 PID 3608 wrote to memory of 2160 3608 22222222.exe 93 PID 3608 wrote to memory of 4668 3608 22222222.exe 96 PID 3608 wrote to memory of 4668 3608 22222222.exe 96 PID 3608 wrote to memory of 4084 3608 22222222.exe 98 PID 3608 wrote to memory of 4084 3608 22222222.exe 98 PID 3608 wrote to memory of 1964 3608 22222222.exe 102 PID 3608 wrote to memory of 1964 3608 22222222.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\22222222.exe"C:\Users\Admin\AppData\Local\Temp\22222222.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22222222.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22222222.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\XClient.exe"2⤵
- Creates scheduled task(s)
PID:1964
-
-
C:\Users\Admin\AppData\Local\XClient.exeC:\Users\Admin\AppData\Local\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5caae66b2d6030f85188e48e4ea3a9fa6
SHA1108425bd97144fa0f92ff7b2109fec293d14a461
SHA256a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d
SHA512189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15
-
Filesize
944B
MD57e6fb773ca334f5d3ec171e50780b590
SHA18c6b533415de54e4b71282f94a3ac40bdb0ce166
SHA256997512026c7564ea7cea6451277db3b8e70699faae8e6b06a022448f80e8cd0f
SHA5127e1340bd1ad2574ca34d4f0d92a80d93b31b9e70146911490188c36b4a3b2d7305f05e059fa7571b0b9fb5ed6ec5d98f4ab9532454048ec3fec387654977cc3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
43KB
MD528bcf32fcb318339dd64c8ffbda36b92
SHA16d1f7481ab5c4bd19df3ad2d36912e1e42bb1e6c
SHA2561b1611bfa2f8c3e714cb95a98bf4f565fe197432703993de521152208da6cd01
SHA51223ed60a39b347e375e5ebb47a4dc5bca725772c8ecb3b5986ef71a7523be23f4bc5f05351583430475d5af8515d306b162ec1fd44d06bf1d2286b0eff20d2cbb
-
Filesize
43KB
MD528bcf32fcb318339dd64c8ffbda36b92
SHA16d1f7481ab5c4bd19df3ad2d36912e1e42bb1e6c
SHA2561b1611bfa2f8c3e714cb95a98bf4f565fe197432703993de521152208da6cd01
SHA51223ed60a39b347e375e5ebb47a4dc5bca725772c8ecb3b5986ef71a7523be23f4bc5f05351583430475d5af8515d306b162ec1fd44d06bf1d2286b0eff20d2cbb