Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26/05/2024, 02:34
General
-
Target
XClient.exe
-
Size
183KB
-
MD5
2b2588dbc679d917268e4ec17783db91
-
SHA1
5d3d9b5e548972155ebf7fb8506eeb87ee8d1c85
-
SHA256
a089baba4b046b231c5008343025b97f47bab795bdebd0fb47c608053ba4d8b8
-
SHA512
11615bbf4477ad683b5cfd5ecf1fbffb7ec957a76b47c012de67f7540ac26b42e63c965cbc028da9430a43f340b4889c5b80de416f83364d6b8d1783c41f4c86
-
SSDEEP
3072:JMf71a4l72Me/sigR1b60M7MDVOyFMgBz65/M6If+3Js+3JFkKeTno:JyPrbjM7KxBt25
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
Spoofer.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2452-1-0x00000000002B0000-0x00000000002E4000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4864 powershell.exe 976 powershell.exe 4424 powershell.exe 640 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spoofer.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spoofer.lnk XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2452 XClient.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4864 powershell.exe 4864 powershell.exe 4864 powershell.exe 976 powershell.exe 976 powershell.exe 976 powershell.exe 4424 powershell.exe 4424 powershell.exe 4424 powershell.exe 640 powershell.exe 640 powershell.exe 640 powershell.exe 2452 XClient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2452 XClient.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeIncreaseQuotaPrivilege 4864 powershell.exe Token: SeSecurityPrivilege 4864 powershell.exe Token: SeTakeOwnershipPrivilege 4864 powershell.exe Token: SeLoadDriverPrivilege 4864 powershell.exe Token: SeSystemProfilePrivilege 4864 powershell.exe Token: SeSystemtimePrivilege 4864 powershell.exe Token: SeProfSingleProcessPrivilege 4864 powershell.exe Token: SeIncBasePriorityPrivilege 4864 powershell.exe Token: SeCreatePagefilePrivilege 4864 powershell.exe Token: SeBackupPrivilege 4864 powershell.exe Token: SeRestorePrivilege 4864 powershell.exe Token: SeShutdownPrivilege 4864 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeSystemEnvironmentPrivilege 4864 powershell.exe Token: SeRemoteShutdownPrivilege 4864 powershell.exe Token: SeUndockPrivilege 4864 powershell.exe Token: SeManageVolumePrivilege 4864 powershell.exe Token: 33 4864 powershell.exe Token: 34 4864 powershell.exe Token: 35 4864 powershell.exe Token: 36 4864 powershell.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeIncreaseQuotaPrivilege 976 powershell.exe Token: SeSecurityPrivilege 976 powershell.exe Token: SeTakeOwnershipPrivilege 976 powershell.exe Token: SeLoadDriverPrivilege 976 powershell.exe Token: SeSystemProfilePrivilege 976 powershell.exe Token: SeSystemtimePrivilege 976 powershell.exe Token: SeProfSingleProcessPrivilege 976 powershell.exe Token: SeIncBasePriorityPrivilege 976 powershell.exe Token: SeCreatePagefilePrivilege 976 powershell.exe Token: SeBackupPrivilege 976 powershell.exe Token: SeRestorePrivilege 976 powershell.exe Token: SeShutdownPrivilege 976 powershell.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeSystemEnvironmentPrivilege 976 powershell.exe Token: SeRemoteShutdownPrivilege 976 powershell.exe Token: SeUndockPrivilege 976 powershell.exe Token: SeManageVolumePrivilege 976 powershell.exe Token: 33 976 powershell.exe Token: 34 976 powershell.exe Token: 35 976 powershell.exe Token: 36 976 powershell.exe Token: SeDebugPrivilege 4424 powershell.exe Token: SeIncreaseQuotaPrivilege 4424 powershell.exe Token: SeSecurityPrivilege 4424 powershell.exe Token: SeTakeOwnershipPrivilege 4424 powershell.exe Token: SeLoadDriverPrivilege 4424 powershell.exe Token: SeSystemProfilePrivilege 4424 powershell.exe Token: SeSystemtimePrivilege 4424 powershell.exe Token: SeProfSingleProcessPrivilege 4424 powershell.exe Token: SeIncBasePriorityPrivilege 4424 powershell.exe Token: SeCreatePagefilePrivilege 4424 powershell.exe Token: SeBackupPrivilege 4424 powershell.exe Token: SeRestorePrivilege 4424 powershell.exe Token: SeShutdownPrivilege 4424 powershell.exe Token: SeDebugPrivilege 4424 powershell.exe Token: SeSystemEnvironmentPrivilege 4424 powershell.exe Token: SeRemoteShutdownPrivilege 4424 powershell.exe Token: SeUndockPrivilege 4424 powershell.exe Token: SeManageVolumePrivilege 4424 powershell.exe Token: 33 4424 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2452 XClient.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2452 wrote to memory of 4864 2452 XClient.exe 74 PID 2452 wrote to memory of 4864 2452 XClient.exe 74 PID 2452 wrote to memory of 976 2452 XClient.exe 77 PID 2452 wrote to memory of 976 2452 XClient.exe 77 PID 2452 wrote to memory of 4424 2452 XClient.exe 79 PID 2452 wrote to memory of 4424 2452 XClient.exe 79 PID 2452 wrote to memory of 640 2452 XClient.exe 81 PID 2452 wrote to memory of 640 2452 XClient.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Spoofer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Spoofer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD531ff38da2faad227b4a58f8a9c3518e1
SHA17570c415eee21c58265a38fde5ce3924f04e3ee0
SHA25686fdcb908209ecdae0d720066ca33d667cd18b530c2c88eeb4e81f5e1ba89016
SHA512013e010214ef3d734564a6c0f5c78765e22b8e0ba714b871f0e4dfec97246bd9f22163ab725afa5194a5be8a0d9d3ddcb5ee06b895bf7b45a5864913fe6e2424
-
Filesize
1KB
MD57fd8c4fb2bfdf1147cffdbe626876e57
SHA129dcadc976789a035cad7e9c1e9fc4c28de7574d
SHA2568e5f76bc63ffdf60e836534189ed152733668ce014df2c2713f9bd9b83368a0a
SHA512d53f974258c282b5cb6bc348c77e34c8bdd502b7bb37303625481e00b6c491ee324d86bf8204ec4f1cfc9820eabe7c7191ed975223948feeefbc26a79d19ef76
-
Filesize
1KB
MD5d0718d048ce8c7ef48af5802d22b8bbb
SHA118de622e48b52474cc7af62d77b089faf953392f
SHA256294b9c6a3d38eae77642a9852fdc26261215a23cd400f43afc22f1ef6399c97f
SHA5123843a681d14f59e29f59b7f3b292387e0d639d4a981dd005798f44f73e03ce74881a9a4a9d57fadfa946475b9698357baaaf8a3c33afad0eaa85e9fdfd0dd463
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a