Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

02/09/2024, 04:11 UTC

240902-erx5ws1ekl 10

31/08/2024, 15:44 UTC

240831-s6y8dssajf 10

31/08/2024, 15:41 UTC

240831-s4ytva1gph 10

31/08/2024, 15:35 UTC

240831-s1fh4a1fjk 10

Analysis

  • max time kernel
    719s
  • max time network
    721s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2024, 15:41 UTC

General

  • Target

    XClient.exe

  • Size

    84KB

  • MD5

    13f12b20731a141144d59aef56828f78

  • SHA1

    2aef63a0f584914b022ea7d039bd431fa99520b3

  • SHA256

    28041fc75ea0dd89b4cfa6338ff7dd3ef053bf5e49eca14f6d8e4acc003c9c6b

  • SHA512

    19f9aeb3ceed2cd0ab93e0f449174de9f07afba41f38c620a1480b052c18ce898d52b9c90f3cfe83611064b4b6cf7444041a4b1d52de214811436975802bcbaa

  • SSDEEP

    1536:E4VFkamGxes+ESPmWnz5fH0hgThsipZR8beJKNlG8V6f7/7zOD5gfRJoBP:E4VNxedPmWt04/UbeSly7/vOD5c4V

Malware Config

Extracted

Family

xworm

C2

178.215.236.68:7000

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:992

Network

  • flag-us
    DNS
    ip-api.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    XClient.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 31 Aug 2024 15:41:50 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    XClient.exe
    264 B
    307 B
    4
    3

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 178.215.236.68:7000
    XClient.exe
    2.7kB
    17.2kB
    32
    33
  • 8.8.8.8:53
    ip-api.com
    dns
    XClient.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA718.tmp.bat

    Filesize

    159B

    MD5

    c9f2a35c1ce15a06b9b168c546e4ed24

    SHA1

    265dcbf0f0cbcfac7ec6cd6ad505deaee9d038d4

    SHA256

    d6d890460d82f137a1a6e6aff4b7223d72049f35e5608b6498c3527ab9085614

    SHA512

    31cd42dae48d904103225ee5dc69656d1c4249ce2d1df2419dfeb38ace5379171bd315784ac88ff00f373a849100af9f0e303181a853b01ad5836bae9c6552c5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    7545cb0e7b8388423fbc380b36c0a7e3

    SHA1

    aa6414259fcbabb75e1347f51db613e07f13bfb4

    SHA256

    984834914109fe732f2c2317090f3e05a4455b7a5f09a1bc71f5393401c8fc81

    SHA512

    2be708c5ef2ca95e25520912937d33be21882930b7a701d846714588d6b8c34899c6aca387f43c859efb103d16caac116a6ba9d655272c8717178f6d89f23243

  • memory/1020-17-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

    Filesize

    4KB

  • memory/1020-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/1020-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

    Filesize

    4KB

  • memory/1020-18-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/1020-1-0x0000000000C90000-0x0000000000CAC000-memory.dmp

    Filesize

    112KB

  • memory/1020-27-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

    Filesize

    9.9MB

  • memory/2692-15-0x000000001B770000-0x000000001BA52000-memory.dmp

    Filesize

    2.9MB

  • memory/2692-16-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

  • memory/2784-7-0x00000000028E0000-0x0000000002960000-memory.dmp

    Filesize

    512KB

  • memory/2784-8-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

  • memory/2784-9-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.