Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2024, 23:35
General
-
Target
XClient.exe
-
Size
38KB
-
MD5
8de16a101c26eb3def9de0a4c1ed92e6
-
SHA1
73a697ba5553b46c7b24439eb29e1d208d9efb42
-
SHA256
7f00e48b3dbd744ca6daf1f62bf29434ff89215ac8a01b9c89496c4a5f57bab0
-
SHA512
c5fce2d9e68183cc3f2b8fb63dde45eaa8c0201927595b193cb754ed9aaa3d40319a0ae6a6e6d0d2f49fb8363b9d427dc297820c144c3cffd3d8041d256359dc
-
SSDEEP
768:gjElHydACVE2rOnS7q1vFu1Fu96HOfhpDEi:h8B5CSGvF4Fu96HOfIi
Malware Config
Extracted
xworm
3.1
h2cker.ddns.net:194
JGTzs3YgAF2Db8Mc
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/3484-0-0x0000000000330000-0x0000000000340000-memory.dmp family_xworm behavioral1/files/0x000a00000001ab62-7.dat family_xworm -
Executes dropped EXE 1 IoCs
pid Process 652 XClient.exe -
Loads dropped DLL 1 IoCs
pid Process 3484 XClient.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\ProgramData\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4536 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1880 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3484 XClient.exe Token: SeDebugPrivilege 652 XClient.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3484 wrote to memory of 4536 3484 XClient.exe 74 PID 3484 wrote to memory of 4536 3484 XClient.exe 74 PID 3484 wrote to memory of 2172 3484 XClient.exe 77 PID 3484 wrote to memory of 2172 3484 XClient.exe 77 PID 3484 wrote to memory of 1620 3484 XClient.exe 79 PID 3484 wrote to memory of 1620 3484 XClient.exe 79 PID 1620 wrote to memory of 1880 1620 cmd.exe 81 PID 1620 wrote to memory of 1880 1620 cmd.exe 81 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\ProgramData\XClient.exe"2⤵
- Creates scheduled task(s)
PID:4536
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"2⤵PID:2172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp603D.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1880
-
-
-
C:\ProgramData\XClient.exeC:\ProgramData\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD58de16a101c26eb3def9de0a4c1ed92e6
SHA173a697ba5553b46c7b24439eb29e1d208d9efb42
SHA2567f00e48b3dbd744ca6daf1f62bf29434ff89215ac8a01b9c89496c4a5f57bab0
SHA512c5fce2d9e68183cc3f2b8fb63dde45eaa8c0201927595b193cb754ed9aaa3d40319a0ae6a6e6d0d2f49fb8363b9d427dc297820c144c3cffd3d8041d256359dc
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
159B
MD5fa2b0f3d183303b607e6b7344ebd2682
SHA1bde0da100717a875e3b7eb399ef77f9a9a9d3cd4
SHA256a7eb4f7160f1f7ef448da758c7a414059c454f1a6e08d5144a392aea1e6b7874
SHA512b28027a90692ab3857ffc6004c020ca27e6c8ccde25b31cf59e2abc79ec7dda2f2621a8f5db5d46bbf2a4eaa8b013d521a2a8602da0efade6ad644feadd67889
-
Filesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43