Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Xeno.exe

windows7-x64

10

Xeno.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2025, 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xeno.exe

  • Size

    69KB

  • MD5

    4e8074b05433894b629f67b4770d5474

  • SHA1

    f71e57d6bda8a72a7760d358e63664136b8a7bb7

  • SHA256

    480c3389177a32a663b3c484507f00a646a6b4a10c3532527bdc0dcd78c7d259

  • SHA512

    de0726f1335c757925170f496181ee66b29231034c6ab205f54fc265370485bbf1eedfadaaba4b57fd78d6057860630ccd1bada035d71ae74b8f0a5349329e89

  • SSDEEP

    1536:2SuDiZ0QURBoIKoPyS2I+bqpO1Xd7UEx6M0O8RLZ68i:2SuDaURKkPJt+bwwURO85M8i

Score
10/10
xwormdiscoveryexecutionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

cause-indexes.gl.at.ply.gg:17210

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
    "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xeno.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xeno.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2268
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    90445e2006eddf4d4f4c913c02034706

    SHA1

    f1defedbfa05bdc89a65e30ae06ff8f0bbf18c9d

    SHA256

    18f597df61b64b4d5beeebaf7d64f7228db4a028fd06934544cd230fe59cacdf

    SHA512

    5d9d44b05e74f648e54a7ed6fb5f5dfd222c96f9165db0ac0a1c6ad173437f20651ad06778d9e0c7d7578248d52b9fc8e8827f6e2b3321c48fa6faae625c9247

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ee9d510c9e83c23343de2de4d5645a42

    SHA1

    a2586d8ece61437c08535cbe20b923e358f311a9

    SHA256

    9a675703eea760abece51b4ca0d9ed9e685c85e63442d803aa3af6fe6aa77a74

    SHA512

    62317b858e7fdfec06163749e376d2df6c12c9e76e69f17515ea07485f9a7c8240cf648b7216ee1e361dc68e513fccbb5d8e401caaaa07eb664df3704afa0798

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fe286f9ce20403bea770a57b28b53edf

    SHA1

    23c3fcd6eee0a06de9f757793cd1f86d390c9dc3

    SHA256

    b8d6728647f4de8e19219b91c324cf0005abce28206f996543ce1ab834132256

    SHA512

    f5944597c21582b92a7cf9c9dcbbbd29ad94d8a2c6dc825b45f7df0c0058b76a5330ec906104f8574907bdff459e618052e6af5240dc299c48f3df10480595e5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    943b9e1abcd8292615a0f03e569ed9c4

    SHA1

    0e8ab783601b36ef6f058a25d6b9a0620bd898ef

    SHA256

    92471387d408340b50570092f091f4a638fbeadc55163888144c4d0d03b19ee1

    SHA512

    8e5cfcda3ee43c7e375b7817142299d753a6702c81ad498afb221e11ee3db06f841703c93932ac544344043115934bd5834c5fe62fc847756b27ec0bd13d99f0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d175cf43fc1d186ad5da3c6511a431e9

    SHA1

    807e8279b955a7920315f77cbffde32a043b307d

    SHA256

    61c43cfd6fde0b5ff2f0cf973f046ee135c380f1a046f3705a6e8e1e76922a12

    SHA512

    43020753836445c14b39c5aa44a88b70b327ede0fb0d3afc54e5f2797d39a093aa32ef91b040283f380c7ce1dc979617156efa0adcc8b3f3478f858f584a5004

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d10294655f63a0aacdb6230d7028ce1d

    SHA1

    0b1dc08a3954283ce9163c796ce68a402bc7003f

    SHA256

    a48870effa9d4c14356e72d3af1b7aa62788e9120906a6446c65a2cf3694e153

    SHA512

    5b2de0d04c69de66cf8751068d662063e2fa6d71893450ac34d20737b5620621b167f8844b9b88ced211aa8c68485a66f1af772a79b4b7ce0911c35357c10326

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8622c125a6f1011d1311f24a7d3ec93e

    SHA1

    dc7030dbc6e6cb6f51134c0ae4a128a08d35bd87

    SHA256

    e5b1fc11fbdd62e3161212c6937698c0d0552b22e1fa99e8e2bc2162efb21266

    SHA512

    65b38ef1123866c8a9f0ea1dc4201229314aeed1129a1c7cedfcc21b718b98de5eba2698f43737344f2946abcfbfbe38ef5ea1d20b2a6bb164d22181956785c7

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2153e805ef0ecb40f9f500701fde3c34

    SHA1

    406b2d47e7d2fb0c0310156dd49b24184c3756fb

    SHA256

    f467c5efbfa0aabf1e99d1ab6700441f8f26de76becb969d94a7c18e05acb0be

    SHA512

    66b2650e49e8eec8ebabe6b363e268a7eff9a5e34c4a92c2399e87307e9a5d7f3ef756c29c885f5a7d4dabaec9b2e71431354bcf5519acf7480863089b0e65b2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5fe1c408546563901b1fafabb8850067

    SHA1

    d6f23dd995fda4352c966a55df87bd199829b5b4

    SHA256

    a7bba8b38e99771e8494c8b0ba104c9e5158a7a2a9efeeefd41ea98c67a6f39a

    SHA512

    eb679e0d347f1012fc9fd9df368f8496d9bf5b5cff99d3000fbd805174a83c3cc39ee961a839a5221306cb2e068169bf8897656bc33881ee9eac512c283662b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab1A86.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab1B14.tmp
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1B29.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    a996fc8dd2435a6dabd0a75a9ba55f55

    SHA1

    b9838e2c3e7314eb7257364ef6e282eb2c277c2b

    SHA256

    3f894fd00b86f41c66b34b8a914375c6a39ad68f0c9acb3417e3639e4714f813

    SHA512

    80036862e28f24712d231fc0824b38421f284e67296188d35d02c264bd88cd435016d30966cc647e61e9e78cc55edf1d22f666f2406dec13daa75288689783b3

    Download Submit

  • C:\Users\Admin\Desktop\How To Decrypt My Files.html
    Filesize

    615B

    MD5

    c8058e48fa2af8c6e4f06ac7a9de88a4

    SHA1

    96094df3149dc794cdc754337a1c9684570fee50

    SHA256

    79c979cc37bf6c0ef530f7bd175d5526efd8fa6b67cc6c8441c19495ba2bc8f7

    SHA512

    ad588db70ad649269f5e5ba774a12f60340085baac77400374799253b1802e0fe6969e909fd698db9849ac39f050d0ef150deebc5d213fdf823c4d6b8308e914

    Download Submit

  • C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
    Filesize

    16B

    MD5

    42ab8eb81ebc2164308608f18f7560ef

    SHA1

    81588de100799eebec78d9af8d71f9cb89948799

    SHA256

    abdfbe7d9a59525c979e68d11df044e12fd4746957602306364dd94aa4a27955

    SHA512

    80c76b340ee62e8187681acea809d49afbff98ae2a3038926ca8a62508cc28767e0c5d70b9cf38fe4fd0384f76cea09e34da573f05737da4bcd4d1d4666c2446

    Download Submit

  • memory/2120-35-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2120-0-0x000007FEF6853000-0x000007FEF6854000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-34-0x0000000000A80000-0x0000000000A8C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2120-32-0x000000001B370000-0x000000001B3F0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2120-31-0x000007FEF6853000-0x000007FEF6854000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-30-0x000000001B370000-0x000000001B3F0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2120-1-0x00000000012E0000-0x00000000012F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2444-15-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2444-14-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2712-8-0x0000000002170000-0x0000000002178000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2712-7-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2712-6-0x00000000020D0000-0x0000000002150000-memory.dmp

    Filesize

    512KB

    Download