Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 18:24
Behavioral task
behavioral1
Sample
Xeno.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Xeno.exe
Resource
win10v2004-20250217-en
General
-
Target
Xeno.exe
-
Size
69KB
-
MD5
4e8074b05433894b629f67b4770d5474
-
SHA1
f71e57d6bda8a72a7760d358e63664136b8a7bb7
-
SHA256
480c3389177a32a663b3c484507f00a646a6b4a10c3532527bdc0dcd78c7d259
-
SHA512
de0726f1335c757925170f496181ee66b29231034c6ab205f54fc265370485bbf1eedfadaaba4b57fd78d6057860630ccd1bada035d71ae74b8f0a5349329e89
-
SSDEEP
1536:2SuDiZ0QURBoIKoPyS2I+bqpO1Xd7UEx6M0O8RLZ68i:2SuDaURKkPJt+bwwURO85M8i
Malware Config
Extracted
xworm
cause-indexes.gl.at.ply.gg:17210
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2120-1-0x00000000012E0000-0x00000000012F6000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2712 powershell.exe 2444 powershell.exe 1940 powershell.exe 2268 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Xeno.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Xeno.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" Xeno.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" Xeno.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95720321-F601-11EF-85F9-DEBA79BDEBEA} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2712 powershell.exe 2444 powershell.exe 1940 powershell.exe 2268 powershell.exe 2120 Xeno.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2120 Xeno.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2120 Xeno.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2076 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2120 Xeno.exe 2076 iexplore.exe 2076 iexplore.exe 1168 IEXPLORE.EXE 1168 IEXPLORE.EXE 1168 IEXPLORE.EXE 1168 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2712 2120 Xeno.exe 30 PID 2120 wrote to memory of 2712 2120 Xeno.exe 30 PID 2120 wrote to memory of 2712 2120 Xeno.exe 30 PID 2120 wrote to memory of 2444 2120 Xeno.exe 32 PID 2120 wrote to memory of 2444 2120 Xeno.exe 32 PID 2120 wrote to memory of 2444 2120 Xeno.exe 32 PID 2120 wrote to memory of 1940 2120 Xeno.exe 34 PID 2120 wrote to memory of 1940 2120 Xeno.exe 34 PID 2120 wrote to memory of 1940 2120 Xeno.exe 34 PID 2120 wrote to memory of 2268 2120 Xeno.exe 36 PID 2120 wrote to memory of 2268 2120 Xeno.exe 36 PID 2120 wrote to memory of 2268 2120 Xeno.exe 36 PID 2120 wrote to memory of 2076 2120 Xeno.exe 40 PID 2120 wrote to memory of 2076 2120 Xeno.exe 40 PID 2120 wrote to memory of 2076 2120 Xeno.exe 40 PID 2076 wrote to memory of 1168 2076 iexplore.exe 41 PID 2076 wrote to memory of 1168 2076 iexplore.exe 41 PID 2076 wrote to memory of 1168 2076 iexplore.exe 41 PID 2076 wrote to memory of 1168 2076 iexplore.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xeno.exe"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xeno.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xeno.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD590445e2006eddf4d4f4c913c02034706
SHA1f1defedbfa05bdc89a65e30ae06ff8f0bbf18c9d
SHA25618f597df61b64b4d5beeebaf7d64f7228db4a028fd06934544cd230fe59cacdf
SHA5125d9d44b05e74f648e54a7ed6fb5f5dfd222c96f9165db0ac0a1c6ad173437f20651ad06778d9e0c7d7578248d52b9fc8e8827f6e2b3321c48fa6faae625c9247
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ee9d510c9e83c23343de2de4d5645a42
SHA1a2586d8ece61437c08535cbe20b923e358f311a9
SHA2569a675703eea760abece51b4ca0d9ed9e685c85e63442d803aa3af6fe6aa77a74
SHA51262317b858e7fdfec06163749e376d2df6c12c9e76e69f17515ea07485f9a7c8240cf648b7216ee1e361dc68e513fccbb5d8e401caaaa07eb664df3704afa0798
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fe286f9ce20403bea770a57b28b53edf
SHA123c3fcd6eee0a06de9f757793cd1f86d390c9dc3
SHA256b8d6728647f4de8e19219b91c324cf0005abce28206f996543ce1ab834132256
SHA512f5944597c21582b92a7cf9c9dcbbbd29ad94d8a2c6dc825b45f7df0c0058b76a5330ec906104f8574907bdff459e618052e6af5240dc299c48f3df10480595e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5943b9e1abcd8292615a0f03e569ed9c4
SHA10e8ab783601b36ef6f058a25d6b9a0620bd898ef
SHA25692471387d408340b50570092f091f4a638fbeadc55163888144c4d0d03b19ee1
SHA5128e5cfcda3ee43c7e375b7817142299d753a6702c81ad498afb221e11ee3db06f841703c93932ac544344043115934bd5834c5fe62fc847756b27ec0bd13d99f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d175cf43fc1d186ad5da3c6511a431e9
SHA1807e8279b955a7920315f77cbffde32a043b307d
SHA25661c43cfd6fde0b5ff2f0cf973f046ee135c380f1a046f3705a6e8e1e76922a12
SHA51243020753836445c14b39c5aa44a88b70b327ede0fb0d3afc54e5f2797d39a093aa32ef91b040283f380c7ce1dc979617156efa0adcc8b3f3478f858f584a5004
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d10294655f63a0aacdb6230d7028ce1d
SHA10b1dc08a3954283ce9163c796ce68a402bc7003f
SHA256a48870effa9d4c14356e72d3af1b7aa62788e9120906a6446c65a2cf3694e153
SHA5125b2de0d04c69de66cf8751068d662063e2fa6d71893450ac34d20737b5620621b167f8844b9b88ced211aa8c68485a66f1af772a79b4b7ce0911c35357c10326
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58622c125a6f1011d1311f24a7d3ec93e
SHA1dc7030dbc6e6cb6f51134c0ae4a128a08d35bd87
SHA256e5b1fc11fbdd62e3161212c6937698c0d0552b22e1fa99e8e2bc2162efb21266
SHA51265b38ef1123866c8a9f0ea1dc4201229314aeed1129a1c7cedfcc21b718b98de5eba2698f43737344f2946abcfbfbe38ef5ea1d20b2a6bb164d22181956785c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52153e805ef0ecb40f9f500701fde3c34
SHA1406b2d47e7d2fb0c0310156dd49b24184c3756fb
SHA256f467c5efbfa0aabf1e99d1ab6700441f8f26de76becb969d94a7c18e05acb0be
SHA51266b2650e49e8eec8ebabe6b363e268a7eff9a5e34c4a92c2399e87307e9a5d7f3ef756c29c885f5a7d4dabaec9b2e71431354bcf5519acf7480863089b0e65b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55fe1c408546563901b1fafabb8850067
SHA1d6f23dd995fda4352c966a55df87bd199829b5b4
SHA256a7bba8b38e99771e8494c8b0ba104c9e5158a7a2a9efeeefd41ea98c67a6f39a
SHA512eb679e0d347f1012fc9fd9df368f8496d9bf5b5cff99d3000fbd805174a83c3cc39ee961a839a5221306cb2e068169bf8897656bc33881ee9eac512c283662b2
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a996fc8dd2435a6dabd0a75a9ba55f55
SHA1b9838e2c3e7314eb7257364ef6e282eb2c277c2b
SHA2563f894fd00b86f41c66b34b8a914375c6a39ad68f0c9acb3417e3639e4714f813
SHA51280036862e28f24712d231fc0824b38421f284e67296188d35d02c264bd88cd435016d30966cc647e61e9e78cc55edf1d22f666f2406dec13daa75288689783b3
-
Filesize
615B
MD5c8058e48fa2af8c6e4f06ac7a9de88a4
SHA196094df3149dc794cdc754337a1c9684570fee50
SHA25679c979cc37bf6c0ef530f7bd175d5526efd8fa6b67cc6c8441c19495ba2bc8f7
SHA512ad588db70ad649269f5e5ba774a12f60340085baac77400374799253b1802e0fe6969e909fd698db9849ac39f050d0ef150deebc5d213fdf823c4d6b8308e914
-
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD542ab8eb81ebc2164308608f18f7560ef
SHA181588de100799eebec78d9af8d71f9cb89948799
SHA256abdfbe7d9a59525c979e68d11df044e12fd4746957602306364dd94aa4a27955
SHA51280c76b340ee62e8187681acea809d49afbff98ae2a3038926ca8a62508cc28767e0c5d70b9cf38fe4fd0384f76cea09e34da573f05737da4bcd4d1d4666c2446