Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XClient.exe

windows10-1703-x64

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-1703-x64

10

XClient.exe

windows10-2004-x64

10

XClient.exe

windows11-21h2-x64

10

Resubmissions

02/09/2024, 04:11

240902-erx5ws1ekl 10

31/08/2024, 15:44

240831-s6y8dssajf 10

31/08/2024, 15:41

240831-s4ytva1gph 10

31/08/2024, 15:35

240831-s1fh4a1fjk 10

Analysis

  • max time kernel
    43s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2024, 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    84KB

  • MD5

    13f12b20731a141144d59aef56828f78

  • SHA1

    2aef63a0f584914b022ea7d039bd431fa99520b3

  • SHA256

    28041fc75ea0dd89b4cfa6338ff7dd3ef053bf5e49eca14f6d8e4acc003c9c6b

  • SHA512

    19f9aeb3ceed2cd0ab93e0f449174de9f07afba41f38c620a1480b052c18ce898d52b9c90f3cfe83611064b4b6cf7444041a4b1d52de214811436975802bcbaa

  • SSDEEP

    1536:E4VFkamGxes+ESPmWnz5fH0hgThsipZR8beJKNlG8V6f7/7zOD5gfRJoBP:E4VNxedPmWt04/UbeSly7/vOD5c4V

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

178.215.236.68:7000

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D0C.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7D0C.tmp.bat
    Filesize

    159B

    MD5

    ae35558d7df786aced9ca004aa3c8ba1

    SHA1

    cf14c9177b3b94786e1c6804f884343ad3ac3b7b

    SHA256

    f96b62e67855bb0de0c764e6f077f55d0e256cee42aad8b89dbdd22322f95e36

    SHA512

    5a8baf9d7c011fbf118b3be8ea12da79558f8b59f1d0ed5c23781fd53de4fdf50292df83d875ec0ca8ad0d2a5af50d115f602cfe12cc05a9b24213c8ab056581

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N9H65ZJ5EGK4I2I6D0XP.temp
    Filesize

    7KB

    MD5

    5e1eff71f80ee7e7df9442019d2268e0

    SHA1

    6574331ed0f7fc2cc35ef070a9fcef60babe6113

    SHA256

    255f27b9d28d0c7aa9d3d765f7828d7b461687552ec4aecd9e2fe345f950224e

    SHA512

    72126646deecfa53a594c952aa8cbcf4c11c2ba3db8f9e733a340e66c620bab2b7f9c5c4f5ca1c6ae66019ae37671ab6d201583eec0efd4ce110d967d34a5c10

    Download Submit

  • memory/1432-1-0x0000000000A20000-0x0000000000A3C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1432-2-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1432-27-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1432-18-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1432-0-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1432-17-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-15-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2680-16-0x00000000022D0000-0x00000000022D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2956-9-0x0000000001E00000-0x0000000001E08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2956-8-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2956-7-0x0000000002940000-0x00000000029C0000-memory.dmp

    Filesize

    512KB

    Download