Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
02/09/2024, 04:11 UTC
240902-erx5ws1ekl 1031/08/2024, 15:44 UTC
240831-s6y8dssajf 1031/08/2024, 15:41 UTC
240831-s4ytva1gph 1031/08/2024, 15:35 UTC
240831-s1fh4a1fjk 10Analysis
-
max time kernel
719s -
max time network
721s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
31/08/2024, 15:41 UTC
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win7-20240705-en
Behavioral task
behavioral3
Sample
XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
XClient.exe
Resource
win10v2004-20240802-en
General
-
Target
XClient.exe
-
Size
84KB
-
MD5
13f12b20731a141144d59aef56828f78
-
SHA1
2aef63a0f584914b022ea7d039bd431fa99520b3
-
SHA256
28041fc75ea0dd89b4cfa6338ff7dd3ef053bf5e49eca14f6d8e4acc003c9c6b
-
SHA512
19f9aeb3ceed2cd0ab93e0f449174de9f07afba41f38c620a1480b052c18ce898d52b9c90f3cfe83611064b4b6cf7444041a4b1d52de214811436975802bcbaa
-
SSDEEP
1536:E4VFkamGxes+ESPmWnz5fH0hgThsipZR8beJKNlG8V6f7/7zOD5gfRJoBP:E4VNxedPmWt04/UbeSly7/vOD5c4V
Malware Config
Extracted
xworm
178.215.236.68:7000
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/1020-1-0x0000000000C90000-0x0000000000CAC000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2784 powershell.exe 2692 powershell.exe -
Deletes itself 1 IoCs
pid Process 1900 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 992 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2784 powershell.exe 2692 powershell.exe 1020 XClient.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1020 XClient.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 1020 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1020 XClient.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1020 wrote to memory of 2784 1020 XClient.exe 30 PID 1020 wrote to memory of 2784 1020 XClient.exe 30 PID 1020 wrote to memory of 2784 1020 XClient.exe 30 PID 1020 wrote to memory of 2692 1020 XClient.exe 32 PID 1020 wrote to memory of 2692 1020 XClient.exe 32 PID 1020 wrote to memory of 2692 1020 XClient.exe 32 PID 1020 wrote to memory of 1900 1020 XClient.exe 34 PID 1020 wrote to memory of 1900 1020 XClient.exe 34 PID 1020 wrote to memory of 1900 1020 XClient.exe 34 PID 1900 wrote to memory of 992 1900 cmd.exe 36 PID 1900 wrote to memory of 992 1900 cmd.exe 36 PID 1900 wrote to memory of 992 1900 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:992
-
-
Network
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
264 B 307 B 4 3
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200 -
2.7kB 17.2kB 32 33
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD5c9f2a35c1ce15a06b9b168c546e4ed24
SHA1265dcbf0f0cbcfac7ec6cd6ad505deaee9d038d4
SHA256d6d890460d82f137a1a6e6aff4b7223d72049f35e5608b6498c3527ab9085614
SHA51231cd42dae48d904103225ee5dc69656d1c4249ce2d1df2419dfeb38ace5379171bd315784ac88ff00f373a849100af9f0e303181a853b01ad5836bae9c6552c5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57545cb0e7b8388423fbc380b36c0a7e3
SHA1aa6414259fcbabb75e1347f51db613e07f13bfb4
SHA256984834914109fe732f2c2317090f3e05a4455b7a5f09a1bc71f5393401c8fc81
SHA5122be708c5ef2ca95e25520912937d33be21882930b7a701d846714588d6b8c34899c6aca387f43c859efb103d16caac116a6ba9d655272c8717178f6d89f23243