Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Xeno.exe

windows10-ltsc 2021-x64

Analysis

  • max time kernel
    125s
  • max time network
    126s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    28/02/2025, 18:18

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Xeno.exe

  • Size

    69KB

  • MD5

    4e8074b05433894b629f67b4770d5474

  • SHA1

    f71e57d6bda8a72a7760d358e63664136b8a7bb7

  • SHA256

    480c3389177a32a663b3c484507f00a646a6b4a10c3532527bdc0dcd78c7d259

  • SHA512

    de0726f1335c757925170f496181ee66b29231034c6ab205f54fc265370485bbf1eedfadaaba4b57fd78d6057860630ccd1bada035d71ae74b8f0a5349329e89

  • SSDEEP

    1536:2SuDiZ0QURBoIKoPyS2I+bqpO1Xd7UEx6M0O8RLZ68i:2SuDaURKkPJt+bwwURO85M8i

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

cause-indexes.gl.at.ply.gg:17210

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
    "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xeno.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xeno.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1088
    • C:\Windows\SYSTEM32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
        PID:4968
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5112
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39d5855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:5536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      60b3262c3163ee3d466199160b9ed07d

      SHA1

      994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

      SHA256

      e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

      SHA512

      081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      cc23290d37ee7ef96108403dca3e40bb

      SHA1

      f3900f743488bd7d79294a1874926b6ff9c968c0

      SHA256

      f70a32a91221754ff21f1dc7f725d7690d8264dbb98df7b06ca280f36f08184c

      SHA512

      4d8d577061b902bd3b46bb3b4988dd47e85d7ea08a1cfea2b3df5edef040884f5b357b72098e3e7a1565b6f6e244aca8d99088652ebc9bf78620cbef84cc0845

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2879755c37735aee79eb6b06e5952f3f

      SHA1

      8f7e6f73f2ee82022bd93633a1d914d65a6fd2a2

      SHA256

      00de7e1a55a4bd2fbf8c0ec30d7a1f626a638e88aa03629046190d9391717ad1

      SHA512

      ebda3165400670f533f3b52703c6b443597bb36d7891806a86542b1cd56b7fa8cd859beaf7251ceb17ac4d1c6326562efea1d6355ac583688bdf59aef2aea0e6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oa2gxpu0.t51.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3048-0-0x00007FFA9C213000-0x00007FFA9C215000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3048-113-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3048-74-0x00000000029F0000-0x00000000029FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3048-73-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3048-1-0x0000000000810000-0x0000000000826000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3048-59-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3048-58-0x00007FFA9C213000-0x00007FFA9C215000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5112-70-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-66-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-67-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-68-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-62-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-61-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-60-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-72-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-71-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5112-69-0x000002529EC20000-0x000002529EC21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5552-14-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5552-15-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5552-16-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5552-19-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5552-13-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5552-12-0x00007FFA9C210000-0x00007FFA9CCD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5552-2-0x000001A5E28B0000-0x000001A5E28D2000-memory.dmp

      Filesize

      136KB

      Download