Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
297s -
max time network
295s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 20:38
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20241007-en
General
-
Target
XClient.exe
-
Size
64KB
-
MD5
0b825a60d5232c19548fe6bee6eceaf7
-
SHA1
70b29e65c74ee6d11dd99ab644ea967efd868aa2
-
SHA256
ad13779dfed42b4f1fc882216a9157bc65aee15f058b784ea809b86fceae34af
-
SHA512
408f6f6239a4a11913f012d7a6ba8d7c48896312a894d574b892553aeb6658ad1f4599d1cc899beb2e762c6496654077dfbe253e0f4a53d63a5dd1327f1d570a
-
SSDEEP
1536:ElDBb5dZjeQ+3uYkkf9pWbkoxy061cOirS0LpHn2TfaS:Ell5/7+3uYkkXWbk+jOirS0dHEaS
Malware Config
Extracted
xworm
memory-lottery.gl.at.ply.gg:444
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 6 IoCs
resource yara_rule behavioral1/memory/2524-1-0x0000000000830000-0x0000000000846000-memory.dmp family_xworm behavioral1/files/0x000a000000019228-34.dat family_xworm behavioral1/memory/2344-36-0x00000000003C0000-0x00000000003D6000-memory.dmp family_xworm behavioral1/memory/780-39-0x0000000000E60000-0x0000000000E76000-memory.dmp family_xworm behavioral1/memory/2276-42-0x0000000000260000-0x0000000000276000-memory.dmp family_xworm behavioral1/memory/1856-44-0x0000000000BC0000-0x0000000000BD6000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1712 powershell.exe 2604 powershell.exe 2624 powershell.exe 2412 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\security.lnk XClient.exe -
Executes dropped EXE 5 IoCs
pid Process 2344 security 780 security 1760 security 2276 security 1856 security -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\security = "C:\\Users\\Admin\\AppData\\Roaming\\security" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2524 XClient.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2412 powershell.exe 1712 powershell.exe 2604 powershell.exe 2624 powershell.exe 2524 XClient.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2524 XClient.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2524 XClient.exe Token: SeDebugPrivilege 2344 security Token: SeDebugPrivilege 780 security Token: SeDebugPrivilege 1760 security Token: SeDebugPrivilege 2276 security Token: SeDebugPrivilege 1856 security -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2524 XClient.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2412 2524 XClient.exe 30 PID 2524 wrote to memory of 2412 2524 XClient.exe 30 PID 2524 wrote to memory of 2412 2524 XClient.exe 30 PID 2524 wrote to memory of 1712 2524 XClient.exe 32 PID 2524 wrote to memory of 1712 2524 XClient.exe 32 PID 2524 wrote to memory of 1712 2524 XClient.exe 32 PID 2524 wrote to memory of 2604 2524 XClient.exe 34 PID 2524 wrote to memory of 2604 2524 XClient.exe 34 PID 2524 wrote to memory of 2604 2524 XClient.exe 34 PID 2524 wrote to memory of 2624 2524 XClient.exe 36 PID 2524 wrote to memory of 2624 2524 XClient.exe 36 PID 2524 wrote to memory of 2624 2524 XClient.exe 36 PID 2524 wrote to memory of 2716 2524 XClient.exe 38 PID 2524 wrote to memory of 2716 2524 XClient.exe 38 PID 2524 wrote to memory of 2716 2524 XClient.exe 38 PID 1388 wrote to memory of 2344 1388 taskeng.exe 42 PID 1388 wrote to memory of 2344 1388 taskeng.exe 42 PID 1388 wrote to memory of 2344 1388 taskeng.exe 42 PID 1388 wrote to memory of 780 1388 taskeng.exe 43 PID 1388 wrote to memory of 780 1388 taskeng.exe 43 PID 1388 wrote to memory of 780 1388 taskeng.exe 43 PID 1388 wrote to memory of 1760 1388 taskeng.exe 44 PID 1388 wrote to memory of 1760 1388 taskeng.exe 44 PID 1388 wrote to memory of 1760 1388 taskeng.exe 44 PID 1388 wrote to memory of 2276 1388 taskeng.exe 45 PID 1388 wrote to memory of 2276 1388 taskeng.exe 45 PID 1388 wrote to memory of 2276 1388 taskeng.exe 45 PID 1388 wrote to memory of 1856 1388 taskeng.exe 46 PID 1388 wrote to memory of 1856 1388 taskeng.exe 46 PID 1388 wrote to memory of 1856 1388 taskeng.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2716
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2D05C960-03EB-4386-A413-2EB5B18A0275} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Roaming\securityC:\Users\Admin\AppData\Roaming\security2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Users\Admin\AppData\Roaming\securityC:\Users\Admin\AppData\Roaming\security2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\Users\Admin\AppData\Roaming\securityC:\Users\Admin\AppData\Roaming\security2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Users\Admin\AppData\Roaming\securityC:\Users\Admin\AppData\Roaming\security2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Users\Admin\AppData\Roaming\securityC:\Users\Admin\AppData\Roaming\security2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59de21f8987fded8537106fde1bd54e9b
SHA1ec7bda7669858022bdc4ba7a8df0b21d167bf0d5
SHA256a1162deb347e23badb3afb6c48860d135651cf9de6dd0f4266c909daf4fdf61a
SHA5122a65fd3435e3ae25faa7595fc23849309959f8a4170199b6745cdaccd02b3e74f2647d4c35482091c44ea7653fee1a12662c17b0c86a3ccd69c02afdaf6730c6
-
Filesize
64KB
MD50b825a60d5232c19548fe6bee6eceaf7
SHA170b29e65c74ee6d11dd99ab644ea967efd868aa2
SHA256ad13779dfed42b4f1fc882216a9157bc65aee15f058b784ea809b86fceae34af
SHA512408f6f6239a4a11913f012d7a6ba8d7c48896312a894d574b892553aeb6658ad1f4599d1cc899beb2e762c6496654077dfbe253e0f4a53d63a5dd1327f1d570a