Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 20:14
Static task
static1
Behavioral task
behavioral1
Sample
YOU.exe
Resource
win7-20241010-en
General
-
Target
YOU.exe
-
Size
955KB
-
MD5
eb86db27432e31d958931668b20dd18d
-
SHA1
12a8af666e5f1018071b46cb04df4a34384bb6be
-
SHA256
5f0a6832da6604ee51d0072fa8ae6ad9b0151074c30c6a08acaad43d339abdf7
-
SHA512
545b2ccdadb21aadc12a820ede8d4a730614d430816745aae817a4110cc36fa6891ff04e206d020f914debd388257222afcbbead55a2d88cd13e9e72b9ac938e
-
SSDEEP
24576:Iu6J33O0c+JY5UZ+XC0kGso6Fak67DeQlaWY:iu0c++OCvkGs9Fak8DY
Malware Config
Extracted
xworm
176.96.137.181:2222
-
Install_directory
%AppData%
-
install_file
XClient2.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/5012-17-0x00000000005C0000-0x00000000005DA000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3436 powershell.exe 3696 powershell.exe 3700 powershell.exe 4916 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avenses.vbs avenses.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient2.lnk RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient2.lnk RegSvcs.exe -
Executes dropped EXE 3 IoCs
pid Process 1260 avenses.exe 1384 XClient2.exe 4728 XClient2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient2 = "C:\\Users\\Admin\\AppData\\Roaming\\XClient2.exe" RegSvcs.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000b000000023be2-8.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1260 set thread context of 5012 1260 avenses.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XClient2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XClient2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avenses.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1608 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3436 powershell.exe 3436 powershell.exe 3696 powershell.exe 3696 powershell.exe 3700 powershell.exe 3700 powershell.exe 4916 powershell.exe 4916 powershell.exe 5012 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1260 avenses.exe 1260 avenses.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5012 RegSvcs.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 5012 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1520 YOU.exe 1520 YOU.exe 1260 avenses.exe 1260 avenses.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1520 YOU.exe 1520 YOU.exe 1260 avenses.exe 1260 avenses.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5012 RegSvcs.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1260 1520 YOU.exe 87 PID 1520 wrote to memory of 1260 1520 YOU.exe 87 PID 1520 wrote to memory of 1260 1520 YOU.exe 87 PID 1260 wrote to memory of 5012 1260 avenses.exe 88 PID 1260 wrote to memory of 5012 1260 avenses.exe 88 PID 1260 wrote to memory of 5012 1260 avenses.exe 88 PID 1260 wrote to memory of 5012 1260 avenses.exe 88 PID 5012 wrote to memory of 3436 5012 RegSvcs.exe 93 PID 5012 wrote to memory of 3436 5012 RegSvcs.exe 93 PID 5012 wrote to memory of 3436 5012 RegSvcs.exe 93 PID 5012 wrote to memory of 3696 5012 RegSvcs.exe 97 PID 5012 wrote to memory of 3696 5012 RegSvcs.exe 97 PID 5012 wrote to memory of 3696 5012 RegSvcs.exe 97 PID 5012 wrote to memory of 3700 5012 RegSvcs.exe 100 PID 5012 wrote to memory of 3700 5012 RegSvcs.exe 100 PID 5012 wrote to memory of 3700 5012 RegSvcs.exe 100 PID 5012 wrote to memory of 4916 5012 RegSvcs.exe 102 PID 5012 wrote to memory of 4916 5012 RegSvcs.exe 102 PID 5012 wrote to memory of 4916 5012 RegSvcs.exe 102 PID 5012 wrote to memory of 1608 5012 RegSvcs.exe 104 PID 5012 wrote to memory of 1608 5012 RegSvcs.exe 104 PID 5012 wrote to memory of 1608 5012 RegSvcs.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\YOU.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\untrashed\avenses.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegSvcs.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient2.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient2.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient2" /tr "C:\Users\Admin\AppData\Roaming\XClient2.exe"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1608
-
-
-
-
C:\Users\Admin\AppData\Roaming\XClient2.exeC:\Users\Admin\AppData\Roaming\XClient2.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384
-
C:\Users\Admin\AppData\Roaming\XClient2.exeC:\Users\Admin\AppData\Roaming\XClient2.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4728
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142B
MD58c0458bb9ea02d50565175e38d577e35
SHA1f0b50702cd6470f3c17d637908f83212fdbdb2f2
SHA256c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53
SHA512804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD509a70c335c7bf4a3d147173c9c8bde00
SHA18733973f7dbd7a6784f4f83671c301f22c0979d2
SHA256a62ae8c38e28d9340029f1befae41eaa206961bebfade22e39fdf246d6a581ad
SHA512b8965db33060d299cd5ee3e83812a3c0d9ed598a6b9ee0b27398df3ca85e169c40b47c4456b08b4c00e37ab3fb4efa076c650b8d82469e03f331ba77223c06d0
-
Filesize
18KB
MD59388b6689dd61f681c96c0a02d2c80af
SHA1b52b747ab06a9450cd1f22bb94201eb2a946e0c7
SHA256b2347c7c998bb004f2ac5d3311c44713cc7533803904a3075fab4464f3c17415
SHA512dc730f1cefce99175472589fe527abad65b4d197a37cb381d5eb359f53ccb53bf6e1a7f33d259245089e5c6526c716eed9a62cb4a3506b7eaaf78bbde1823b82
-
Filesize
18KB
MD52c633803ecaf412c43b5b423bdc0eca9
SHA1842d7d3ad0d94962090a7d1ded55b4a54923f8a9
SHA256a6efd0ef0e8f672bb8019aaa72f36d0129765cf55d5e4dd0082cf903473ab8bb
SHA5128004ff2334df68c251708f816438539d3f70c07b338c7b761924414eeae666a049454c9509bcb0b7b79618695e303b66368e93dc92d8bc8549b1c8bdf3ba4d59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
955KB
MD5eb86db27432e31d958931668b20dd18d
SHA112a8af666e5f1018071b46cb04df4a34384bb6be
SHA2565f0a6832da6604ee51d0072fa8ae6ad9b0151074c30c6a08acaad43d339abdf7
SHA512545b2ccdadb21aadc12a820ede8d4a730614d430816745aae817a4110cc36fa6891ff04e206d020f914debd388257222afcbbead55a2d88cd13e9e72b9ac938e
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b