Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

02/09/2024, 04:11

240902-erx5ws1ekl 10

31/08/2024, 15:44

240831-s6y8dssajf 10

31/08/2024, 15:41

240831-s4ytva1gph 10

31/08/2024, 15:35

240831-s1fh4a1fjk 10

Analysis

  • max time kernel
    719s
  • max time network
    721s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2024, 15:41

General

  • Target

    XClient.exe

  • Size

    84KB

  • MD5

    13f12b20731a141144d59aef56828f78

  • SHA1

    2aef63a0f584914b022ea7d039bd431fa99520b3

  • SHA256

    28041fc75ea0dd89b4cfa6338ff7dd3ef053bf5e49eca14f6d8e4acc003c9c6b

  • SHA512

    19f9aeb3ceed2cd0ab93e0f449174de9f07afba41f38c620a1480b052c18ce898d52b9c90f3cfe83611064b4b6cf7444041a4b1d52de214811436975802bcbaa

  • SSDEEP

    1536:E4VFkamGxes+ESPmWnz5fH0hgThsipZR8beJKNlG8V6f7/7zOD5gfRJoBP:E4VNxedPmWt04/UbeSly7/vOD5c4V

Malware Config

Extracted

Family

xworm

C2

178.215.236.68:7000

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.bat

    Filesize

    159B

    MD5

    c9f2a35c1ce15a06b9b168c546e4ed24

    SHA1

    265dcbf0f0cbcfac7ec6cd6ad505deaee9d038d4

    SHA256

    d6d890460d82f137a1a6e6aff4b7223d72049f35e5608b6498c3527ab9085614

    SHA512

    31cd42dae48d904103225ee5dc69656d1c4249ce2d1df2419dfeb38ace5379171bd315784ac88ff00f373a849100af9f0e303181a853b01ad5836bae9c6552c5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    7545cb0e7b8388423fbc380b36c0a7e3

    SHA1

    aa6414259fcbabb75e1347f51db613e07f13bfb4

    SHA256

    984834914109fe732f2c2317090f3e05a4455b7a5f09a1bc71f5393401c8fc81

    SHA512

    2be708c5ef2ca95e25520912937d33be21882930b7a701d846714588d6b8c34899c6aca387f43c859efb103d16caac116a6ba9d655272c8717178f6d89f23243

  • memory/1020-17-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

    Filesize

    4KB

  • memory/1020-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/1020-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

    Filesize

    4KB

  • memory/1020-18-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/1020-1-0x0000000000C90000-0x0000000000CAC000-memory.dmp

    Filesize

    112KB

  • memory/1020-27-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2692-15-0x000000001B770000-0x000000001BA52000-memory.dmp

    Filesize

    2.9MB

  • memory/2692-16-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

  • memory/2784-7-0x00000000028E0000-0x0000000002960000-memory.dmp

    Filesize

    512KB

  • memory/2784-8-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

  • memory/2784-9-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB