Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/02/2025, 03:53

250207-efrtqsxpd1 10

07/02/2025, 03:51

250207-eerscayrhk 10

07/02/2025, 01:20

250207-bqhr2avpck 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 01:20

General

  • Target

    XWorm V6.0.exe

  • Size

    21.6MB

  • MD5

    ba23d65ef70b05cd3b04dfcbbd801059

  • SHA1

    5c241dc3d79f61bdf82d091bfe29bca2e641d802

  • SHA256

    0712085082841796a11be3e988c1cc131d1608809321683d4e4482363f616e0d

  • SHA512

    d32a4838ca544b9b4764bb99b716faf797aa194199151426a8848c1ed27b5f2428629324d30f15db138ff56d34d46233e3ef106ad416eff29de43eb8ade0eff9

  • SSDEEP

    393216:6JSgxj4gebngiHe2bD616QWBbdw6s8qaPNL1Zjo7YOiFSbzPQWrGMYV3j+cintc:4agiHe2n61Ub1fqY1Z8WSPFrlNHnt

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

WcpxqjjxSrB6UOUw

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/RPPi3ByL

  • telegram

    https://api.telegram.org/bot7483240807:AAHWuUBi6sW9ZOb0kfXVbzbMVyLtPj-9vZY/sendMessage?chat_id=5279018187

aes.plain
aes.plain
aes.plain

Extracted

Family

stealerium

C2

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

Signatures

  • Detect Xworm Payload 12 IoCs
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Stealerium family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm V6.0.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V6.0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1892
    • C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2836
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2232
    • C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:388
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1144
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1676
    • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
      "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2812 -s 732
        3⤵
          PID:1928
      • C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
        "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\05229cad-6f20-458d-80bc-687965d38809.bat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:1216
            • C:\Windows\system32\taskkill.exe
              taskkill /F /PID 2752
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1988
            • C:\Windows\system32\timeout.exe
              timeout /T 2 /NOBREAK
              4⤵
              • Delays execution with timeout.exe
              PID:1700
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {11EF3012-1279-433C-9AE1-661FFC6EC285} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Users\Admin\AppData\Local\msedge.exe
          C:\Users\Admin\AppData\Local\msedge.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2564
        • C:\ProgramData\OneDrive.exe
          C:\ProgramData\OneDrive.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2256
        • C:\Users\Admin\AppData\Roaming\XClient.exe
          C:\Users\Admin\AppData\Roaming\XClient.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:996
        • C:\Users\Admin\AppData\Local\msedge.exe
          C:\Users\Admin\AppData\Local\msedge.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1960
        • C:\ProgramData\OneDrive.exe
          C:\ProgramData\OneDrive.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1728
        • C:\Users\Admin\AppData\Roaming\XClient.exe
          C:\Users\Admin\AppData\Roaming\XClient.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1268
        • C:\Users\Admin\AppData\Local\msedge.exe
          C:\Users\Admin\AppData\Local\msedge.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2320
        • C:\ProgramData\OneDrive.exe
          C:\ProgramData\OneDrive.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1660
        • C:\Users\Admin\AppData\Roaming\XClient.exe
          C:\Users\Admin\AppData\Roaming\XClient.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1956

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\05229cad-6f20-458d-80bc-687965d38809.bat

        Filesize

        152B

        MD5

        23a3c62b8917080042d2839b3531d3d6

        SHA1

        57d7c1fb265bebd3d9bae8f9a801bd5ffaab78ae

        SHA256

        71cd2d113443e09ebed9d207f9c5ea79bd08897573a407783a7b5b8e4e9cc69a

        SHA512

        3b0350192469bfaa4fc9dab23bfe2372c54563b74bcae68fe3cd35ff67e91fbf070279d4d5711f6f676ee61e1bc6d8cf8470d16cfdecf755c29f6ab82b64eb62

      • C:\Users\Admin\AppData\Local\Temp\CabC361.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

        Filesize

        153KB

        MD5

        8b8585c779df2f6df99f749d3b07f146

        SHA1

        b553267f8e6f2bb6531ca2cb330e0d6b7bc41a1d

        SHA256

        4a9d13e9b68d26c6feb71856b7a61a2a1b8f2dc1c7aaa9ad5dfd5609b5a2da6c

        SHA512

        b89cae4386d0b8173b87533b5af3d863a188836185d105d6007786ba0e415537e84b759b8c22b37430ee544c554db9f50aa21466c5549c8b80c4f5a3fa6cb5c7

      • C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

        Filesize

        140KB

        MD5

        a1cd6f4a3a37ed83515aa4752f98eb1d

        SHA1

        7f787c8d72787d8d130b4788b006b799167d1802

        SHA256

        5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

        SHA512

        9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

      • C:\Users\Admin\AppData\Local\Temp\TarC373.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

        Filesize

        14.9MB

        MD5

        56ccb739926a725e78a7acf9af52c4bb

        SHA1

        5b01b90137871c3c8f0d04f510c4d56b23932cbc

        SHA256

        90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

        SHA512

        2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

      • C:\Users\Admin\AppData\Local\Temp\msedge.exe

        Filesize

        166KB

        MD5

        aee20d80f94ae0885bb2cabadb78efc9

        SHA1

        1e82eba032fcb0b89e1fdf937a79133a5057d0a1

        SHA256

        498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

        SHA512

        3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

      • C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe

        Filesize

        6.1MB

        MD5

        b3899dd5602b3587ee487ba34d7cfd47

        SHA1

        ace70e4fcea9b819eaf5bda4453866698252357f

        SHA256

        28c53ad86d705da7e21a1c0cbc996e15ab8f024368aa031b025d05f3dfdbeb2e

        SHA512

        104b8252db4e9a88e388370a6def71e0cbb536604d5a41ac60169a35a9662980d1359000d5ea316f29deb4c534678e86e266bba12bb0b658f2666d13b26c200a

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YR46OXZTGMBE5EFB1ZIF.temp

        Filesize

        7KB

        MD5

        b6191f89094d3ee1a4c6aa78d07f8998

        SHA1

        0d2363ae4521ed6fa341ad5a4df34456da20890a

        SHA256

        88c660c1b6ba073bad13c1ed72e73a1fd80f7bfd529ceaedfc9bbfcdefb6e0e8

        SHA512

        8028d0baee14a34089bf9f314f1ad2a038b7bbcaf8feb1553753b29eefbbc861c457b2c4bcc7a082dd28f6c047ab7a99dd3d76c9c077a957187fae01aa280643

      • memory/388-56-0x000000001B580000-0x000000001B862000-memory.dmp

        Filesize

        2.9MB

      • memory/388-57-0x0000000001D00000-0x0000000001D08000-memory.dmp

        Filesize

        32KB

      • memory/996-256-0x0000000001230000-0x000000000125C000-memory.dmp

        Filesize

        176KB

      • memory/1268-264-0x00000000001D0000-0x00000000001FC000-memory.dmp

        Filesize

        176KB

      • memory/1628-1-0x0000000000250000-0x00000000017E4000-memory.dmp

        Filesize

        21.6MB

      • memory/1628-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

        Filesize

        4KB

      • memory/1728-262-0x00000000013C0000-0x00000000013E8000-memory.dmp

        Filesize

        160KB

      • memory/1956-268-0x0000000000A70000-0x0000000000A9C000-memory.dmp

        Filesize

        176KB

      • memory/2256-255-0x0000000000B60000-0x0000000000B88000-memory.dmp

        Filesize

        160KB

      • memory/2524-143-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

        Filesize

        9.9MB

      • memory/2524-20-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

        Filesize

        9.9MB

      • memory/2524-13-0x00000000010D0000-0x00000000010FC000-memory.dmp

        Filesize

        176KB

      • memory/2564-251-0x0000000001380000-0x00000000013AE000-memory.dmp

        Filesize

        184KB

      • memory/2620-43-0x000000001B650000-0x000000001B932000-memory.dmp

        Filesize

        2.9MB

      • memory/2620-44-0x0000000002240000-0x0000000002248000-memory.dmp

        Filesize

        32KB

      • memory/2684-14-0x0000000000D80000-0x0000000000DA8000-memory.dmp

        Filesize

        160KB

      • memory/2696-19-0x0000000000CE0000-0x0000000000D0E000-memory.dmp

        Filesize

        184KB

      • memory/2752-33-0x00000000002C0000-0x00000000008D6000-memory.dmp

        Filesize

        6.1MB

      • memory/2812-27-0x0000000000820000-0x0000000001708000-memory.dmp

        Filesize

        14.9MB