Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:57
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20240226-en
General
-
Target
XClient.exe
-
Size
72KB
-
MD5
3e8084d25cfbceadd9b370183206f118
-
SHA1
c4e6c55e01a1a6c2ac2fbc5e9e77b991bcc8f0f9
-
SHA256
75e411e87e9d1a1bd396d0860be81d268058b4e258e39fdb7dc768ba212b71f4
-
SHA512
8b169936d92bae713288b29f9eb4be4e71133e916976410f722d457bf85ee82c7e149c69eb28cb2faf435702962d9c47f10d1085d83ae551d3eb687528ac785f
-
SSDEEP
1536:k73W+adUwi/TzJK1+gE0Lp/uGA7vv0OZmpxubcUj0Rur0TAjvvWO4xkdgR/:kTWAtJq+gE05Arv0OXbcquO2v/
Malware Config
Extracted
xworm
127.0.0.1:4782
Enslotheya-26934.portmap.io:4782
Enslotheya-26934.portmap.io:4782:4782
That1funnykid-39791.portmap.io:4782
That1funnykid-39791.portmap.io:4782:4782
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/2372-0-0x00000000003D0000-0x00000000003E8000-memory.dmp family_xworm behavioral2/files/0x000b000000023150-9.dat family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 2 IoCs
pid Process 632 XClient.exe 396 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3340 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2372 XClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2372 XClient.exe Token: SeDebugPrivilege 2372 XClient.exe Token: SeDebugPrivilege 632 XClient.exe Token: SeDebugPrivilege 396 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2372 XClient.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2372 wrote to memory of 3340 2372 XClient.exe 92 PID 2372 wrote to memory of 3340 2372 XClient.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
PID:3340
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
72KB
MD53e8084d25cfbceadd9b370183206f118
SHA1c4e6c55e01a1a6c2ac2fbc5e9e77b991bcc8f0f9
SHA25675e411e87e9d1a1bd396d0860be81d268058b4e258e39fdb7dc768ba212b71f4
SHA5128b169936d92bae713288b29f9eb4be4e71133e916976410f722d457bf85ee82c7e149c69eb28cb2faf435702962d9c47f10d1085d83ae551d3eb687528ac785f