Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:57
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240226-en
General
-
Target
XClient.exe
-
Size
72KB
-
MD5
3e8084d25cfbceadd9b370183206f118
-
SHA1
c4e6c55e01a1a6c2ac2fbc5e9e77b991bcc8f0f9
-
SHA256
75e411e87e9d1a1bd396d0860be81d268058b4e258e39fdb7dc768ba212b71f4
-
SHA512
8b169936d92bae713288b29f9eb4be4e71133e916976410f722d457bf85ee82c7e149c69eb28cb2faf435702962d9c47f10d1085d83ae551d3eb687528ac785f
-
SSDEEP
1536:k73W+adUwi/TzJK1+gE0Lp/uGA7vv0OZmpxubcUj0Rur0TAjvvWO4xkdgR/:kTWAtJq+gE05Arv0OXbcquO2v/
Malware Config
Extracted
xworm
127.0.0.1:4782
Enslotheya-26934.portmap.io:4782
Enslotheya-26934.portmap.io:4782:4782
That1funnykid-39791.portmap.io:4782
That1funnykid-39791.portmap.io:4782:4782
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/2216-0-0x0000000000C50000-0x0000000000C68000-memory.dmp family_xworm behavioral1/files/0x000b0000000126ab-10.dat family_xworm behavioral1/memory/2488-12-0x0000000000FB0000-0x0000000000FC8000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 2 IoCs
pid Process 2488 XClient.exe 1756 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2216 XClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2216 XClient.exe Token: SeDebugPrivilege 2216 XClient.exe Token: SeDebugPrivilege 2488 XClient.exe Token: SeDebugPrivilege 1756 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2216 XClient.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2672 2216 XClient.exe 29 PID 2216 wrote to memory of 2672 2216 XClient.exe 29 PID 2216 wrote to memory of 2672 2216 XClient.exe 29 PID 1436 wrote to memory of 2488 1436 taskeng.exe 32 PID 1436 wrote to memory of 2488 1436 taskeng.exe 32 PID 1436 wrote to memory of 2488 1436 taskeng.exe 32 PID 1436 wrote to memory of 1756 1436 taskeng.exe 35 PID 1436 wrote to memory of 1756 1436 taskeng.exe 35 PID 1436 wrote to memory of 1756 1436 taskeng.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
PID:2672
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DD093C71-99A3-4EC7-9344-45F74E8D1FC7} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD53e8084d25cfbceadd9b370183206f118
SHA1c4e6c55e01a1a6c2ac2fbc5e9e77b991bcc8f0f9
SHA25675e411e87e9d1a1bd396d0860be81d268058b4e258e39fdb7dc768ba212b71f4
SHA5128b169936d92bae713288b29f9eb4be4e71133e916976410f722d457bf85ee82c7e149c69eb28cb2faf435702962d9c47f10d1085d83ae551d3eb687528ac785f