Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22/01/2025, 15:19
General
-
Target
37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe
-
Size
52KB
-
MD5
02279d272e81a497330f22cfa866dc54
-
SHA1
11228964549687fcabdc66a3059cd75fcf18bdcd
-
SHA256
37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3
-
SHA512
9eff45b22dadec11c640f97d994d6e744aa17f9fb8131eecfdf431a6e2cb18f7b9e1eb29717377430c4c7c48a71ba2ef0afc7c55eea7974b2d46372ccb2c9f67
-
SSDEEP
1536:cpHDSBc87/UWF70l/Crbi/OZu71Omwkn2OBCyO:cYW8rHF70l/Ybi/HOt+fTO
Malware Config
Extracted
xworm
127.0.0.1:8848
u-football.gl.at.ply.gg:8848
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe"C:\Users\Admin\AppData\Local\Temp\37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4DE34E0B-F0C5-439C-A61B-C05FDE05B9E9} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD502279d272e81a497330f22cfa866dc54
SHA111228964549687fcabdc66a3059cd75fcf18bdcd
SHA25637df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3
SHA5129eff45b22dadec11c640f97d994d6e744aa17f9fb8131eecfdf431a6e2cb18f7b9e1eb29717377430c4c7c48a71ba2ef0afc7c55eea7974b2d46372ccb2c9f67
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
80KB