Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1556s -
max time network
1557s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 13:40
Static task
static1
Behavioral task
behavioral1
Sample
XMClient_Loader.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
XMClient_Loader.exe
Resource
win10v2004-20240226-en
General
-
Target
XMClient_Loader.exe
-
Size
342KB
-
MD5
70f462c7ee70ad17a46ae90fdedcb0ee
-
SHA1
e4f4f5ae243dba45aac248f998bf15af1b86cd72
-
SHA256
912bab2aa9ae537409ccb7e893e2d07f53fb260e05987cc8c02dba2580f16662
-
SHA512
36c8d8d28057b3766c61990f17e3f215cdfeb1aa120d6c87361e58a1bc9a5046c3e5206e8d1ba320636228888ad9a576469504404cd9a08311107cfdcf443103
-
SSDEEP
6144:n5kvyHto7mibWBoukkYkkkk4kkkkmh3VDU+KfUh/GN+aTjquf+WBsmA:Q7+BoukkYkkkk4kkkkmZVDUfcNajjqA0
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2592 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XMClient_Loader.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XMClient_Loader.exe -
Executes dropped EXE 1 IoCs
pid Process 788 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe" XMClient_Loader.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2336 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2472 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2744 powershell.exe 2412 powershell.exe 2200 powershell.exe 1860 powershell.exe 2252 XMClient_Loader.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2252 XMClient_Loader.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 2252 XMClient_Loader.exe Token: SeDebugPrivilege 788 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2252 XMClient_Loader.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2744 2252 XMClient_Loader.exe 29 PID 2252 wrote to memory of 2744 2252 XMClient_Loader.exe 29 PID 2252 wrote to memory of 2744 2252 XMClient_Loader.exe 29 PID 2252 wrote to memory of 2412 2252 XMClient_Loader.exe 31 PID 2252 wrote to memory of 2412 2252 XMClient_Loader.exe 31 PID 2252 wrote to memory of 2412 2252 XMClient_Loader.exe 31 PID 2252 wrote to memory of 2200 2252 XMClient_Loader.exe 33 PID 2252 wrote to memory of 2200 2252 XMClient_Loader.exe 33 PID 2252 wrote to memory of 2200 2252 XMClient_Loader.exe 33 PID 2252 wrote to memory of 1860 2252 XMClient_Loader.exe 35 PID 2252 wrote to memory of 1860 2252 XMClient_Loader.exe 35 PID 2252 wrote to memory of 1860 2252 XMClient_Loader.exe 35 PID 2252 wrote to memory of 2336 2252 XMClient_Loader.exe 37 PID 2252 wrote to memory of 2336 2252 XMClient_Loader.exe 37 PID 2252 wrote to memory of 2336 2252 XMClient_Loader.exe 37 PID 1920 wrote to memory of 788 1920 taskeng.exe 40 PID 1920 wrote to memory of 788 1920 taskeng.exe 40 PID 1920 wrote to memory of 788 1920 taskeng.exe 40 PID 2252 wrote to memory of 2768 2252 XMClient_Loader.exe 43 PID 2252 wrote to memory of 2768 2252 XMClient_Loader.exe 43 PID 2252 wrote to memory of 2768 2252 XMClient_Loader.exe 43 PID 2252 wrote to memory of 2592 2252 XMClient_Loader.exe 45 PID 2252 wrote to memory of 2592 2252 XMClient_Loader.exe 45 PID 2252 wrote to memory of 2592 2252 XMClient_Loader.exe 45 PID 2592 wrote to memory of 2472 2592 cmd.exe 47 PID 2592 wrote to memory of 2472 2592 cmd.exe 47 PID 2592 wrote to memory of 2472 2592 cmd.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XMClient_Loader.exe"C:\Users\Admin\AppData\Local\Temp\XMClient_Loader.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XMClient_Loader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XMClient_Loader.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"2⤵
- Creates scheduled task(s)
PID:2336
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"2⤵PID:2768
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF0D4.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2472
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C03ECE84-4B42-43C4-B34F-35B684D471B8} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\svchost.exeC:\Users\Admin\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167B
MD5a21f8e06b1e029cb21a74788c43566e3
SHA113db11e1e751b97c0ee9d31c65cc02059f99c792
SHA25655116752dfb38693fafdf9e4ed08f2dcae54a13f87153c93e94f05e8d3e9329c
SHA512403b3b699b158001f10d958e9090337f0e83e1227103d2a06d17d4f48583a6ee3af05dbe828b561770f749e6a03cd12a724e46c017b50301b029034b8eca996c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ba24c56e8d8cd9594dd4e11497594ec7
SHA1c580f44307c397d08e82b1e51e986cd2e39a3c56
SHA256bb0d07a7ddc2e33e18bb9c1c0d2d5fc949595d81819b55ae072b481ac3eca2ac
SHA512ffc271871021008c6e053cd42d551030b9b3dffad05729e8e4200fa7f2c6dc884c133eb2ba43012e5f9418cd0844b5b4bb94253ec3dfea6e59fa4f50da68e092
-
Filesize
342KB
MD570f462c7ee70ad17a46ae90fdedcb0ee
SHA1e4f4f5ae243dba45aac248f998bf15af1b86cd72
SHA256912bab2aa9ae537409ccb7e893e2d07f53fb260e05987cc8c02dba2580f16662
SHA51236c8d8d28057b3766c61990f17e3f215cdfeb1aa120d6c87361e58a1bc9a5046c3e5206e8d1ba320636228888ad9a576469504404cd9a08311107cfdcf443103