Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ChromeX.exe

windows7-x64

10

ChromeX.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ChromeX.exe

  • Size

    194KB

  • MD5

    a1e62820b5ef69092346f3d9db6fd9ac

  • SHA1

    ac2ef78ee68befd3cf26ca87d9e8e6311796e908

  • SHA256

    827d6cec5db8ba1d6465bf99d1565259a96804840964aed7e2de4594b482b955

  • SHA512

    3e4358a010c3ea67151529a619981d92ca2e43145d8928835b27562d4ec7fa480bf1b008fe0a826997a0528f7526eaf08669b1de00655293a47bef28052ee88f

  • SSDEEP

    3072:O6Ok77/lR+b+rAzOnXTBg4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvU:0k77/yb+sqBggVqwlL

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

downloads-pumps.gl.at.ply.gg:42186

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ChromeX.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeX.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ChromeX.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ChromeX.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2188
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    a2fd696c50131ad997b5f76ba4613211

    SHA1

    480bc06fb673fc6b215df3138419fa90b6241eab

    SHA256

    85e16bb44c3e542beedb6c5686ae74608d31fdd7a07c830a3116b2f6bc37067e

    SHA512

    dd0423563831373d07c395b005be82c0d94f0628fc7051417a4f93650d989accc5237d83b3c8cc50954d87a199e0b0243ee43f5cd9a22debdcebb2681832f0dd

    Download Submit

  • memory/2228-1-0x00000000008E0000-0x0000000000916000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2228-34-0x00000000020D0000-0x00000000020DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2228-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-33-0x000000001A910000-0x000000001A990000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2228-32-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2228-31-0x000000001A910000-0x000000001A990000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2396-7-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2396-8-0x00000000026E0000-0x00000000026E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2396-6-0x00000000028C0000-0x0000000002940000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2748-15-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2748-14-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

    Filesize

    2.9MB

    Download