Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 18:13
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win10v2004-20250217-en
General
-
Target
XClient.exe
-
Size
69KB
-
MD5
5f73a7d813ca1b0287eee8e34c8fb97a
-
SHA1
2a209a47e6ca2106397aac89674344761f507842
-
SHA256
fc7e51dc0cdfe45ed4507903bbb9d8442d58dff88ceec8f89ffb354646a2b0c2
-
SHA512
9b86f653e162bc632f6288fee4072aea6c3299e744db9f4707fa0f5c51ddb3c7e4aae21c7cf3c9d480ad375c51e4de15de1161a69459a74133f7d1f005796143
-
SSDEEP
1536:etpR0NcUa78F6TflB1Um7UG2RbqV9R0nXBHykd19jO7XHb:etn0b6TfysUpRbOsRbvjOLHb
Malware Config
Extracted
xworm
6.tcp.ngrok.io:17720:17720
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/memory/2144-1-0x0000000000C10000-0x0000000000C28000-memory.dmp family_xworm behavioral1/files/0x000c000000012268-10.dat family_xworm behavioral1/memory/2244-12-0x00000000003F0000-0x0000000000408000-memory.dmp family_xworm behavioral1/memory/1136-15-0x00000000000F0000-0x0000000000108000-memory.dmp family_xworm -
Xworm family
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 2 IoCs
pid Process 2244 XClient.exe 1136 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2948 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2144 XClient.exe Token: SeDebugPrivilege 2244 XClient.exe Token: SeDebugPrivilege 1136 XClient.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2948 2144 XClient.exe 30 PID 2144 wrote to memory of 2948 2144 XClient.exe 30 PID 2144 wrote to memory of 2948 2144 XClient.exe 30 PID 2620 wrote to memory of 2244 2620 taskeng.exe 33 PID 2620 wrote to memory of 2244 2620 taskeng.exe 33 PID 2620 wrote to memory of 2244 2620 taskeng.exe 33 PID 2620 wrote to memory of 1136 2620 taskeng.exe 35 PID 2620 wrote to memory of 1136 2620 taskeng.exe 35 PID 2620 wrote to memory of 1136 2620 taskeng.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2948
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {123C4C33-7472-412B-A4B1-30849C5251DF} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD55f73a7d813ca1b0287eee8e34c8fb97a
SHA12a209a47e6ca2106397aac89674344761f507842
SHA256fc7e51dc0cdfe45ed4507903bbb9d8442d58dff88ceec8f89ffb354646a2b0c2
SHA5129b86f653e162bc632f6288fee4072aea6c3299e744db9f4707fa0f5c51ddb3c7e4aae21c7cf3c9d480ad375c51e4de15de1161a69459a74133f7d1f005796143