Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

WizClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WizClient.exe

  • Size

    83KB

  • MD5

    2c383a77bce8c6283ef976b2a677f0f4

  • SHA1

    5b086390d1add27d44f4a3859b4daaa74af65868

  • SHA256

    21e2e1a1ad225e01e997a3cca99b8d4313ae3b73263adbc9b416193c94a2153a

  • SHA512

    87624bec9d2db6bdf8d876e3d238f8fdb8c707b658b51b3b5877435c632809f8fbf6da0f03dc025031a112308d2a990c7c76f458bdbbfb32949423f25bbf6e16

  • SSDEEP

    1536:X0ixKm49LXmWNbI2jjmhs7y/ZgdtqKz6Y1O27BaDtT:X0iJ4BWSbIwjm0y/crv1O66t

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

returns-traveler.gl.at.ply.gg:13452

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WizClient.exe
    "C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4524-0-0x00007FFA5DF43000-0x00007FFA5DF45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4524-1-0x00000000008D0000-0x00000000008EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4524-2-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4524-3-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

    Filesize

    10.8MB

    Download