Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

310c6e4649...c8.exe

windows7-x64

10

310c6e4649...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8.exe

  • Size

    337KB

  • MD5

    a8bf7d1f42ce4fe13c76e01befe367fa

  • SHA1

    add32173cf45061d651b75f8b7ab33f86fdfbee7

  • SHA256

    310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8

  • SHA512

    eba707226d114c4405b25b627ee38ba5b2c24cf353fdafd1d78dd90c0fed5de67a2c8c0846609ad7d554306191836667f00dd896d12215fd769c6f36f0f58e2d

  • SSDEEP

    3072:rXjgxzi3Z80WaXjTa4X+oFM3bUiS75l/NTugUJV21KFpwqEBOrNoq98wSpvbUP:rzgxAZ82a4XrFXSlQqrR98XU

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

185.84.161.66:5000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8.exe
    "C:\Users\Admin\AppData\Local\Temp\310c6e4649169990ced7e39f97fade780c725e8ecac3c7a6fe4a8e3d1b874bc8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
      "C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:4408
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          3⤵
            PID:1136
        • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
          "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
          2⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKSUPER X.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4656
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2024
      • C:\Users\Admin\AppData\Roaming\XClient.exe
        C:\Users\Admin\AppData\Roaming\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1216
      • C:\Users\Admin\AppData\Roaming\XClient.exe
        C:\Users\Admin\AppData\Roaming\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3496
      • C:\Users\Admin\AppData\Roaming\XClient.exe
        C:\Users\Admin\AppData\Roaming\XClient.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5056

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        62623d22bd9e037191765d5083ce16a3

        SHA1

        4a07da6872672f715a4780513d95ed8ddeefd259

        SHA256

        95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

        SHA512

        9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        cae60f0ddddac635da71bba775a2c5b4

        SHA1

        386f1a036af61345a7d303d45f5230e2df817477

        SHA256

        b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

        SHA512

        28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        98baf5117c4fcec1692067d200c58ab3

        SHA1

        5b33a57b72141e7508b615e17fb621612cb8e390

        SHA256

        30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

        SHA512

        344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
        Filesize

        69KB

        MD5

        2d58b179ec133f1016a2496a96c5da20

        SHA1

        f5b59d6c3c382295d5d5fed1aed04342a7ab7f2e

        SHA256

        ea9c924bd79e33535b8d6537da0a320ce89d6700697173397bb0a31341831a1b

        SHA512

        486e8248f14d721519bd3701d8dfaf6b8e5af2bce02825fac078402c5ac4a1ceff72af2c36eb3a5c3006aaef0eb00ae8b2289d5a2b8b149e50e7bc7e2bad5abc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\P00LCUE.exe
        Filesize

        49KB

        MD5

        82389acf1b04e8442fdafa7c49c29a97

        SHA1

        573bbc1861498616a8fe79762de0fe3441e0ab21

        SHA256

        70ef677a281065331f49877743d7674891ccb1e63023fbc17e4d6c2e9f28b27a

        SHA512

        4d87d48265510da16fd22920bbbc4476278e1991b62584c320b020d53dcd7ca9b718d9f10750f63b25df1a741ef10369da013e880a3d979ef3faff9332fd3eb1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fzklnbrl.xhw.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1336-22-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1336-0-0x00007FFA8A943000-0x00007FFA8A945000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1336-20-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1336-1-0x0000000000C90000-0x0000000000CEA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1612-33-0x000001966D5A0000-0x000001966D5C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2504-25-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2504-26-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2504-23-0x0000000000390000-0x00000000003A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2504-62-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2504-78-0x00007FFA8A940000-0x00007FFA8B401000-memory.dmp

        Filesize

        10.8MB

        Download