Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XClient.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    113s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    20/11/2024, 16:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    41KB

  • MD5

    f39bdd2e04dd6485c35843cfb7ed5328

  • SHA1

    12613c804847302eaf51d248125bf567d6e0fc81

  • SHA256

    739dcb8887532e966ae7e49e95de28b9f89e342d5ac8ab4a6fc66163a6ec656a

  • SHA512

    ff0ab2cab30d784c429f614915d6e90623ba4e07952052263d3d64abe5b19a462f0dbfee57c13a19f258828bf0a18011f5e8154f0cc655275303a186114d8664

  • SSDEEP

    768:myIOKKVKWC6+3XvgggCLJF5PG9pm96vOwhv3Emz/:mzbKVKWLoXvvgcFI9A96vOwN9z

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

tcp://ikonik2681-35277.portmap.host:35277

Mutex

vlO7QJJcLCTXEz3h

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77MicrosoftDefender.exe

aes.plain
1
XoeqZf0jVolpBc/XhGtmng==

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77MicrosoftDefender.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:760
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77MicrosoftDefender" /tr "C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2072
  • C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe
    "C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe"
    1⤵
    • Executes dropped EXE
    PID:2364
  • C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe
    "C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe"
    1⤵
    • Executes dropped EXE
    PID:3088

Network

  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ip-api.com
    XClient.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    XClient.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 20 Nov 2024 16:42:30 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 6
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    fd.api.iris.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    fd.api.iris.microsoft.com
    IN A
    Response
    fd.api.iris.microsoft.com
    IN CNAME
    fd-api-iris.trafficmanager.net
    fd-api-iris.trafficmanager.net
    IN CNAME
    iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
    iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
    IN A
    20.223.36.55
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    XClient.exe
    310 B
     347 B
     5
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 20.223.36.55:443
    fd.api.iris.microsoft.com
    tls
    624 B
     6.5kB
     9
    6
  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    107.209.201.84.in-addr.arpa
    dns
    73 B
     133 B
     1
    1

    DNS Request

    107.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    XClient.exe
    56 B
     72 B
     1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
     95 B
     1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    fd.api.iris.microsoft.com
    dns
    71 B
     199 B
     1
    1

    DNS Request

    fd.api.iris.microsoft.com

    DNS Response

    20.223.36.55

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    b5bf6b0261deb53c0e3d422e3f83a664

    SHA1

    60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16

    SHA256

    a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c

    SHA512

    27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    a0584865193c35a64240ed9bb6a1fd57

    SHA1

    54d3dc0fe85ab62f9eed443ad19f9a7461c8043a

    SHA256

    25e3e8922df794542c6920fd1ac748e8bef18ad5649a38d7c9839702385e356a

    SHA512

    4e5b5a63c5f98366fa8caf19c5e822087c4ae29389121e97dd6dac06567cd41b24cab254802aad6e47355fd296673abf14f8a3c0ab3d4e581ba75cf4cfec6e82

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    075ace49043673efbb552275aa617bd6

    SHA1

    ab39a6b841f01661918d4067737013dbe8444538

    SHA256

    11bd4cb2b7ecad8a571ff2957e5135d4b12cd0ca7bb63e61353423c939681223

    SHA512

    09d03beca5da2640760af08124306bf9190e15a877c83c4c67815e25c8c6a55c903f9a3a90c52bd3694e840924c090ee4bd8bea45c544cc8f22986e29feeeb05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vafgxv2o.yc4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\$77MicrosoftDefender.exe
    Filesize

    41KB

    MD5

    f39bdd2e04dd6485c35843cfb7ed5328

    SHA1

    12613c804847302eaf51d248125bf567d6e0fc81

    SHA256

    739dcb8887532e966ae7e49e95de28b9f89e342d5ac8ab4a6fc66163a6ec656a

    SHA512

    ff0ab2cab30d784c429f614915d6e90623ba4e07952052263d3d64abe5b19a462f0dbfee57c13a19f258828bf0a18011f5e8154f0cc655275303a186114d8664

    Download Submit

  • memory/1412-16-0x00007FF986250000-0x00007FF986D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1412-15-0x00007FF986250000-0x00007FF986D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1412-21-0x00007FF986250000-0x00007FF986D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1412-20-0x000001CEB8D60000-0x000001CEB8F7D000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1412-22-0x00007FF986250000-0x00007FF986D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1412-10-0x000001CEB8D30000-0x000001CEB8D52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1412-4-0x00007FF986250000-0x00007FF986D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1412-3-0x00007FF986250000-0x00007FF986D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3820-0-0x00007FF986253000-0x00007FF986255000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3820-17-0x00007FF986253000-0x00007FF986255000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3820-2-0x00007FF986250000-0x00007FF986D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3820-60-0x00007FF986250000-0x00007FF986D12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3820-1-0x0000000000040000-0x0000000000050000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.