Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/11/2024, 13:10
Behavioral task
behavioral1
Sample
20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe
Resource
win10v2004-20241007-en
General
-
Target
20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe
-
Size
42KB
-
MD5
b1c9c7a5e1f914ce0094aa08046015dc
-
SHA1
31299c6babfb89124cd60169e7429dc9566af8dd
-
SHA256
20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e
-
SHA512
3c287c3ea393cab841ee91f715d1cb6bac0c762eb7fa9a1bea838ac02e65a7beb929e3fe5b7c0d7c3312177fc589085496900c6e2aa68372ecba38573f5feed5
-
SSDEEP
768:EqpDpHTSWG3J9E/B0oZ4XVGCqF3t9bd6UOChvIPkV:E+DV+BI/2oZ4XV4F99bd6UOClGkV
Malware Config
Extracted
xworm
5.0
gay-nursery.gl.at.ply.gg:51408
v9Zf3WMcQnnzzZmX
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/1320-1-0x0000000000390000-0x00000000003A0000-memory.dmp family_xworm behavioral1/files/0x0006000000004ed7-30.dat family_xworm behavioral1/memory/1972-32-0x0000000000020000-0x0000000000030000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1680 powershell.exe 2176 powershell.exe 2704 powershell.exe 2800 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1972 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2588 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1680 powershell.exe 2176 powershell.exe 2704 powershell.exe 2800 powershell.exe 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe Token: SeDebugPrivilege 1972 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1680 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 31 PID 1320 wrote to memory of 1680 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 31 PID 1320 wrote to memory of 1680 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 31 PID 1320 wrote to memory of 2176 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 33 PID 1320 wrote to memory of 2176 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 33 PID 1320 wrote to memory of 2176 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 33 PID 1320 wrote to memory of 2704 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 35 PID 1320 wrote to memory of 2704 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 35 PID 1320 wrote to memory of 2704 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 35 PID 1320 wrote to memory of 2800 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 37 PID 1320 wrote to memory of 2800 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 37 PID 1320 wrote to memory of 2800 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 37 PID 1320 wrote to memory of 2588 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 39 PID 1320 wrote to memory of 2588 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 39 PID 1320 wrote to memory of 2588 1320 20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe 39 PID 2908 wrote to memory of 1972 2908 taskeng.exe 42 PID 2908 wrote to memory of 1972 2908 taskeng.exe 42 PID 2908 wrote to memory of 1972 2908 taskeng.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe"C:\Users\Admin\AppData\Local\Temp\20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '20b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2588
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DDE231DC-7838-463C-A9A4-03D571D689B0} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fe130428c2cae13e7f44dc2e4a86d045
SHA17498cef32b0540595985d6e5219895e8a81eeaa5
SHA256d27ba97389c7e51d3a675dabffa037e1451b5677815ea9b6361ffbb0421c3114
SHA512fa271673ad8d0dcb945a2e039242e7bff1f77fe8fc03920e389c7d47cdab84218642eb0d0eeff4e98e1b1c7f90cb3fb86e29d907ff3566852f0805badce2b33f
-
Filesize
42KB
MD5b1c9c7a5e1f914ce0094aa08046015dc
SHA131299c6babfb89124cd60169e7429dc9566af8dd
SHA25620b9dd6d08f23de84f317c3a1e270a8f952778d7a477b661fb820e078adbe07e
SHA5123c287c3ea393cab841ee91f715d1cb6bac0c762eb7fa9a1bea838ac02e65a7beb929e3fe5b7c0d7c3312177fc589085496900c6e2aa68372ecba38573f5feed5