Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/11/2024, 13:10

General

  • Target

    20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe

  • Size

    42KB

  • MD5

    b1c9c7a5e1f914ce0094aa08046015dc

  • SHA1

    31299c6babfb89124cd60169e7429dc9566af8dd

  • SHA256

    20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e

  • SHA512

    3c287c3ea393cab841ee91f715d1cb6bac0c762eb7fa9a1bea838ac02e65a7beb929e3fe5b7c0d7c3312177fc589085496900c6e2aa68372ecba38573f5feed5

  • SSDEEP

    768:EqpDpHTSWG3J9E/B0oZ4XVGCqF3t9bd6UOChvIPkV:E+DV+BI/2oZ4XV4F99bd6UOClGkV

Malware Config

Extracted

Family

xworm

Version

5.0

C2

gay-nursery.gl.at.ply.gg:51408

Mutex

v9Zf3WMcQnnzzZmX

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe
    "C:\Users\Admin\AppData\Local\Temp\20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2588
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {DDE231DC-7838-463C-A9A4-03D571D689B0} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    fe130428c2cae13e7f44dc2e4a86d045

    SHA1

    7498cef32b0540595985d6e5219895e8a81eeaa5

    SHA256

    d27ba97389c7e51d3a675dabffa037e1451b5677815ea9b6361ffbb0421c3114

    SHA512

    fa271673ad8d0dcb945a2e039242e7bff1f77fe8fc03920e389c7d47cdab84218642eb0d0eeff4e98e1b1c7f90cb3fb86e29d907ff3566852f0805badce2b33f

  • C:\Users\Admin\AppData\Roaming\XClient.exe

    Filesize

    42KB

    MD5

    b1c9c7a5e1f914ce0094aa08046015dc

    SHA1

    31299c6babfb89124cd60169e7429dc9566af8dd

    SHA256

    20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e

    SHA512

    3c287c3ea393cab841ee91f715d1cb6bac0c762eb7fa9a1bea838ac02e65a7beb929e3fe5b7c0d7c3312177fc589085496900c6e2aa68372ecba38573f5feed5

  • memory/1320-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

    Filesize

    4KB

  • memory/1320-1-0x0000000000390000-0x00000000003A0000-memory.dmp

    Filesize

    64KB

  • memory/1320-27-0x000000001B200000-0x000000001B280000-memory.dmp

    Filesize

    512KB

  • memory/1320-28-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

    Filesize

    4KB

  • memory/1680-6-0x0000000002F10000-0x0000000002F90000-memory.dmp

    Filesize

    512KB

  • memory/1680-7-0x000000001B800000-0x000000001BAE2000-memory.dmp

    Filesize

    2.9MB

  • memory/1680-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

    Filesize

    32KB

  • memory/1972-32-0x0000000000020000-0x0000000000030000-memory.dmp

    Filesize

    64KB

  • memory/2176-14-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

  • memory/2176-15-0x0000000001E60000-0x0000000001E68000-memory.dmp

    Filesize

    32KB