Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XClient.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26/05/2024, 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    183KB

  • MD5

    2b2588dbc679d917268e4ec17783db91

  • SHA1

    5d3d9b5e548972155ebf7fb8506eeb87ee8d1c85

  • SHA256

    a089baba4b046b231c5008343025b97f47bab795bdebd0fb47c608053ba4d8b8

  • SHA512

    11615bbf4477ad683b5cfd5ecf1fbffb7ec957a76b47c012de67f7540ac26b42e63c965cbc028da9430a43f340b4889c5b80de416f83364d6b8d1783c41f4c86

  • SSDEEP

    3072:JMf71a4l72Me/sigR1b60M7MDVOyFMgBz65/M6If+3Js+3JFkKeTno:JyPrbjM7KxBt25

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    Spoofer.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Spoofer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Spoofer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    31ff38da2faad227b4a58f8a9c3518e1

    SHA1

    7570c415eee21c58265a38fde5ce3924f04e3ee0

    SHA256

    86fdcb908209ecdae0d720066ca33d667cd18b530c2c88eeb4e81f5e1ba89016

    SHA512

    013e010214ef3d734564a6c0f5c78765e22b8e0ba714b871f0e4dfec97246bd9f22163ab725afa5194a5be8a0d9d3ddcb5ee06b895bf7b45a5864913fe6e2424

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    7fd8c4fb2bfdf1147cffdbe626876e57

    SHA1

    29dcadc976789a035cad7e9c1e9fc4c28de7574d

    SHA256

    8e5f76bc63ffdf60e836534189ed152733668ce014df2c2713f9bd9b83368a0a

    SHA512

    d53f974258c282b5cb6bc348c77e34c8bdd502b7bb37303625481e00b6c491ee324d86bf8204ec4f1cfc9820eabe7c7191ed975223948feeefbc26a79d19ef76

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d0718d048ce8c7ef48af5802d22b8bbb

    SHA1

    18de622e48b52474cc7af62d77b089faf953392f

    SHA256

    294b9c6a3d38eae77642a9852fdc26261215a23cd400f43afc22f1ef6399c97f

    SHA512

    3843a681d14f59e29f59b7f3b292387e0d639d4a981dd005798f44f73e03ce74881a9a4a9d57fadfa946475b9698357baaaf8a3c33afad0eaa85e9fdfd0dd463

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_id01jyi0.4vg.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/2452-0-0x00007FFB323B3000-0x00007FFB323B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2452-2-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2452-1-0x00000000002B0000-0x00000000002E4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2452-187-0x00007FFB323B3000-0x00007FFB323B4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2452-188-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4864-9-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4864-13-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4864-14-0x0000026E4B030000-0x0000026E4B0A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4864-52-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4864-8-0x0000026E4ADA0000-0x0000026E4ADC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4864-7-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp

    Filesize

    9.9MB

    Download