Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2025, 18:13

General

  • Target

    XClient.exe

  • Size

    69KB

  • MD5

    5f73a7d813ca1b0287eee8e34c8fb97a

  • SHA1

    2a209a47e6ca2106397aac89674344761f507842

  • SHA256

    fc7e51dc0cdfe45ed4507903bbb9d8442d58dff88ceec8f89ffb354646a2b0c2

  • SHA512

    9b86f653e162bc632f6288fee4072aea6c3299e744db9f4707fa0f5c51ddb3c7e4aae21c7cf3c9d480ad375c51e4de15de1161a69459a74133f7d1f005796143

  • SSDEEP

    1536:etpR0NcUa78F6TflB1Um7UG2RbqV9R0nXBHykd19jO7XHb:etn0b6TfysUpRbOsRbvjOLHb

Malware Config

Extracted

Family

xworm

C2

6.tcp.ngrok.io:17720:17720

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2948
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {123C4C33-7472-412B-A4B1-30849C5251DF} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\XClient.exe

    Filesize

    69KB

    MD5

    5f73a7d813ca1b0287eee8e34c8fb97a

    SHA1

    2a209a47e6ca2106397aac89674344761f507842

    SHA256

    fc7e51dc0cdfe45ed4507903bbb9d8442d58dff88ceec8f89ffb354646a2b0c2

    SHA512

    9b86f653e162bc632f6288fee4072aea6c3299e744db9f4707fa0f5c51ddb3c7e4aae21c7cf3c9d480ad375c51e4de15de1161a69459a74133f7d1f005796143

  • memory/1136-15-0x00000000000F0000-0x0000000000108000-memory.dmp

    Filesize

    96KB

  • memory/2144-0-0x000007FEF6123000-0x000007FEF6124000-memory.dmp

    Filesize

    4KB

  • memory/2144-1-0x0000000000C10000-0x0000000000C28000-memory.dmp

    Filesize

    96KB

  • memory/2144-6-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

    Filesize

    9.9MB

  • memory/2144-7-0x000007FEF6123000-0x000007FEF6124000-memory.dmp

    Filesize

    4KB

  • memory/2144-8-0x000007FEF6120000-0x000007FEF6B0C000-memory.dmp

    Filesize

    9.9MB

  • memory/2244-12-0x00000000003F0000-0x0000000000408000-memory.dmp

    Filesize

    96KB