Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
597s -
max time network
589s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 16:53
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win7-20240215-en
Behavioral task
behavioral3
Sample
XClient.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
XClient.exe
Resource
win11-20240426-en
General
-
Target
XClient.exe
-
Size
43KB
-
MD5
9a6ce16635ceb90281c16062ae68a06c
-
SHA1
319ee0e49c3a23cf6afa7cb34d358247b6fbc89e
-
SHA256
f9a8f2e29dc5966bcb6f5a9b118a0e2cb2807619d9ce16dbb18e71737bf44ac8
-
SHA512
ec1e632a6efc0c8aa20386c3925a3b3a2941a33992d788de6d5a777a10c267e073b57d8a95af3d00684b0c4c33efb060f1d126c95179de731a19c71da36eb589
-
SSDEEP
768:ZY8ErOTKMYpyyNRyjymZ49pnWwFFEPh9Cf66FOChtk2lHxfgm:6/OUTc6Fw9y66FOCIwRt
Malware Config
Extracted
xworm
3.0
lunassworld-50930.portmap.host:5508
tBgRQhKX6pJuMKdy
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 9 IoCs
resource yara_rule behavioral2/memory/2416-1-0x00000000000A0000-0x00000000000B2000-memory.dmp family_xworm behavioral2/files/0x001b00000000558a-28.dat family_xworm behavioral2/memory/1644-33-0x00000000000B0000-0x00000000000C2000-memory.dmp family_xworm behavioral2/memory/1284-37-0x0000000000C00000-0x0000000000C12000-memory.dmp family_xworm behavioral2/memory/1744-40-0x00000000012C0000-0x00000000012D2000-memory.dmp family_xworm behavioral2/memory/2876-42-0x0000000000150000-0x0000000000162000-memory.dmp family_xworm behavioral2/memory/2768-44-0x0000000000090000-0x00000000000A2000-memory.dmp family_xworm behavioral2/memory/2232-46-0x0000000001150000-0x0000000001162000-memory.dmp family_xworm behavioral2/memory/2852-48-0x00000000012D0000-0x00000000012E2000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2712 powershell.exe 2824 powershell.exe 2468 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 10 IoCs
pid Process 1644 XClient.exe 1284 XClient.exe 840 XClient.exe 1744 XClient.exe 2876 XClient.exe 2768 XClient.exe 2232 XClient.exe 2852 XClient.exe 360 XClient.exe 2404 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2712 powershell.exe 2824 powershell.exe 2468 powershell.exe 2416 XClient.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2416 XClient.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2416 XClient.exe Token: SeDebugPrivilege 1644 XClient.exe Token: SeDebugPrivilege 1284 XClient.exe Token: SeDebugPrivilege 840 XClient.exe Token: SeDebugPrivilege 1744 XClient.exe Token: SeDebugPrivilege 2876 XClient.exe Token: SeDebugPrivilege 2768 XClient.exe Token: SeDebugPrivilege 2232 XClient.exe Token: SeDebugPrivilege 2852 XClient.exe Token: SeDebugPrivilege 360 XClient.exe Token: SeDebugPrivilege 2404 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2416 XClient.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2712 2416 XClient.exe 29 PID 2416 wrote to memory of 2712 2416 XClient.exe 29 PID 2416 wrote to memory of 2712 2416 XClient.exe 29 PID 2416 wrote to memory of 2824 2416 XClient.exe 31 PID 2416 wrote to memory of 2824 2416 XClient.exe 31 PID 2416 wrote to memory of 2824 2416 XClient.exe 31 PID 2416 wrote to memory of 2468 2416 XClient.exe 33 PID 2416 wrote to memory of 2468 2416 XClient.exe 33 PID 2416 wrote to memory of 2468 2416 XClient.exe 33 PID 2416 wrote to memory of 2208 2416 XClient.exe 35 PID 2416 wrote to memory of 2208 2416 XClient.exe 35 PID 2416 wrote to memory of 2208 2416 XClient.exe 35 PID 2636 wrote to memory of 1644 2636 taskeng.exe 38 PID 2636 wrote to memory of 1644 2636 taskeng.exe 38 PID 2636 wrote to memory of 1644 2636 taskeng.exe 38 PID 2636 wrote to memory of 1284 2636 taskeng.exe 41 PID 2636 wrote to memory of 1284 2636 taskeng.exe 41 PID 2636 wrote to memory of 1284 2636 taskeng.exe 41 PID 2636 wrote to memory of 840 2636 taskeng.exe 42 PID 2636 wrote to memory of 840 2636 taskeng.exe 42 PID 2636 wrote to memory of 840 2636 taskeng.exe 42 PID 2636 wrote to memory of 1744 2636 taskeng.exe 43 PID 2636 wrote to memory of 1744 2636 taskeng.exe 43 PID 2636 wrote to memory of 1744 2636 taskeng.exe 43 PID 2636 wrote to memory of 2876 2636 taskeng.exe 44 PID 2636 wrote to memory of 2876 2636 taskeng.exe 44 PID 2636 wrote to memory of 2876 2636 taskeng.exe 44 PID 2636 wrote to memory of 2768 2636 taskeng.exe 45 PID 2636 wrote to memory of 2768 2636 taskeng.exe 45 PID 2636 wrote to memory of 2768 2636 taskeng.exe 45 PID 2636 wrote to memory of 2232 2636 taskeng.exe 46 PID 2636 wrote to memory of 2232 2636 taskeng.exe 46 PID 2636 wrote to memory of 2232 2636 taskeng.exe 46 PID 2636 wrote to memory of 2852 2636 taskeng.exe 47 PID 2636 wrote to memory of 2852 2636 taskeng.exe 47 PID 2636 wrote to memory of 2852 2636 taskeng.exe 47 PID 2636 wrote to memory of 360 2636 taskeng.exe 48 PID 2636 wrote to memory of 360 2636 taskeng.exe 48 PID 2636 wrote to memory of 360 2636 taskeng.exe 48 PID 2636 wrote to memory of 2404 2636 taskeng.exe 49 PID 2636 wrote to memory of 2404 2636 taskeng.exe 49 PID 2636 wrote to memory of 2404 2636 taskeng.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
PID:2208
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F9B54A9E-2D16-4F1D-93EE-74F06E34D81E} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:360
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5235e86fb52ce884c64546e1b4dcd01d9
SHA129d53f7ee5ab02115569b1b9878ba3bd3965062d
SHA2569c38e15346aaf87dde89022d5ad00eb700c33fcc81b35cd41ec151844ecbc40b
SHA512183b1148f9063d52101ce4a5b610cf97efbcf2dfbe620c93ccc5851fa777c8668e1a6131fc722b49681e1eab0152662b5b2af27a0652a28666ebffb5a6455078
-
Filesize
43KB
MD59a6ce16635ceb90281c16062ae68a06c
SHA1319ee0e49c3a23cf6afa7cb34d358247b6fbc89e
SHA256f9a8f2e29dc5966bcb6f5a9b118a0e2cb2807619d9ce16dbb18e71737bf44ac8
SHA512ec1e632a6efc0c8aa20386c3925a3b3a2941a33992d788de6d5a777a10c267e073b57d8a95af3d00684b0c4c33efb060f1d126c95179de731a19c71da36eb589