Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 15:19
Behavioral task
behavioral1
Sample
37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe
Resource
win10v2004-20241007-en
General
-
Target
37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe
-
Size
52KB
-
MD5
02279d272e81a497330f22cfa866dc54
-
SHA1
11228964549687fcabdc66a3059cd75fcf18bdcd
-
SHA256
37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3
-
SHA512
9eff45b22dadec11c640f97d994d6e744aa17f9fb8131eecfdf431a6e2cb18f7b9e1eb29717377430c4c7c48a71ba2ef0afc7c55eea7974b2d46372ccb2c9f67
-
SSDEEP
1536:cpHDSBc87/UWF70l/Crbi/OZu71Omwkn2OBCyO:cYW8rHF70l/Ybi/HOt+fTO
Malware Config
Extracted
xworm
127.0.0.1:8848
u-football.gl.at.ply.gg:8848
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/2508-1-0x0000000001230000-0x0000000001244000-memory.dmp family_xworm behavioral1/files/0x0007000000012117-11.dat family_xworm behavioral1/memory/2812-13-0x0000000000CA0000-0x0000000000CB4000-memory.dmp family_xworm -
Xworm family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk 37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk 37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe -
Executes dropped EXE 1 IoCs
pid Process 2812 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" 37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2704 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2508 37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe Token: SeDebugPrivilege 2508 37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe Token: SeDebugPrivilege 2812 XClient.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2704 2508 37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe 31 PID 2508 wrote to memory of 2704 2508 37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe 31 PID 2508 wrote to memory of 2704 2508 37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe 31 PID 2156 wrote to memory of 2812 2156 taskeng.exe 35 PID 2156 wrote to memory of 2812 2156 taskeng.exe 35 PID 2156 wrote to memory of 2812 2156 taskeng.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe"C:\Users\Admin\AppData\Local\Temp\37df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2704
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4DE34E0B-F0C5-439C-A61B-C05FDE05B9E9} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD502279d272e81a497330f22cfa866dc54
SHA111228964549687fcabdc66a3059cd75fcf18bdcd
SHA25637df6c75773a17be3487e82ca20139252d7c5ca15e0cc4fd08a0b93ae87adbd3
SHA5129eff45b22dadec11c640f97d994d6e744aa17f9fb8131eecfdf431a6e2cb18f7b9e1eb29717377430c4c7c48a71ba2ef0afc7c55eea7974b2d46372ccb2c9f67