Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    297s
  • max time network
    295s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 20:38

General

  • Target

    XClient.exe

  • Size

    64KB

  • MD5

    0b825a60d5232c19548fe6bee6eceaf7

  • SHA1

    70b29e65c74ee6d11dd99ab644ea967efd868aa2

  • SHA256

    ad13779dfed42b4f1fc882216a9157bc65aee15f058b784ea809b86fceae34af

  • SHA512

    408f6f6239a4a11913f012d7a6ba8d7c48896312a894d574b892553aeb6658ad1f4599d1cc899beb2e762c6496654077dfbe253e0f4a53d63a5dd1327f1d570a

  • SSDEEP

    1536:ElDBb5dZjeQ+3uYkkf9pWbkoxy061cOirS0LpHn2TfaS:Ell5/7+3uYkkXWbk+jOirS0dHEaS

Malware Config

Extracted

Family

xworm

C2

memory-lottery.gl.at.ply.gg:444

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2716
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2D05C960-03EB-4386-A413-2EB5B18A0275} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:780
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Users\Admin\AppData\Roaming\security
      C:\Users\Admin\AppData\Roaming\security
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    9de21f8987fded8537106fde1bd54e9b

    SHA1

    ec7bda7669858022bdc4ba7a8df0b21d167bf0d5

    SHA256

    a1162deb347e23badb3afb6c48860d135651cf9de6dd0f4266c909daf4fdf61a

    SHA512

    2a65fd3435e3ae25faa7595fc23849309959f8a4170199b6745cdaccd02b3e74f2647d4c35482091c44ea7653fee1a12662c17b0c86a3ccd69c02afdaf6730c6

  • C:\Users\Admin\AppData\Roaming\security

    Filesize

    64KB

    MD5

    0b825a60d5232c19548fe6bee6eceaf7

    SHA1

    70b29e65c74ee6d11dd99ab644ea967efd868aa2

    SHA256

    ad13779dfed42b4f1fc882216a9157bc65aee15f058b784ea809b86fceae34af

    SHA512

    408f6f6239a4a11913f012d7a6ba8d7c48896312a894d574b892553aeb6658ad1f4599d1cc899beb2e762c6496654077dfbe253e0f4a53d63a5dd1327f1d570a

  • memory/780-39-0x0000000000E60000-0x0000000000E76000-memory.dmp

    Filesize

    88KB

  • memory/1712-14-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

  • memory/1712-15-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

  • memory/1856-44-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

    Filesize

    88KB

  • memory/2276-42-0x0000000000260000-0x0000000000276000-memory.dmp

    Filesize

    88KB

  • memory/2344-36-0x00000000003C0000-0x00000000003D6000-memory.dmp

    Filesize

    88KB

  • memory/2412-8-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

    Filesize

    32KB

  • memory/2412-6-0x0000000002B60000-0x0000000002BE0000-memory.dmp

    Filesize

    512KB

  • memory/2412-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

    Filesize

    2.9MB

  • memory/2524-30-0x000000001B3F0000-0x000000001B470000-memory.dmp

    Filesize

    512KB

  • memory/2524-1-0x0000000000830000-0x0000000000846000-memory.dmp

    Filesize

    88KB

  • memory/2524-32-0x000000001B3F0000-0x000000001B470000-memory.dmp

    Filesize

    512KB

  • memory/2524-31-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

    Filesize

    4KB

  • memory/2524-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

    Filesize

    4KB