Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/02/2025, 20:02

General

  • Target

    YOU.exe

  • Size

    955KB

  • MD5

    eb86db27432e31d958931668b20dd18d

  • SHA1

    12a8af666e5f1018071b46cb04df4a34384bb6be

  • SHA256

    5f0a6832da6604ee51d0072fa8ae6ad9b0151074c30c6a08acaad43d339abdf7

  • SHA512

    545b2ccdadb21aadc12a820ede8d4a730614d430816745aae817a4110cc36fa6891ff04e206d020f914debd388257222afcbbead55a2d88cd13e9e72b9ac938e

  • SSDEEP

    24576:Iu6J33O0c+JY5UZ+XC0kGso6Fak67DeQlaWY:iu0c++OCvkGs9Fak8DY

Malware Config

Extracted

Family

xworm

C2

176.96.137.181:2222

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient2.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YOU.exe
    "C:\Users\Admin\AppData\Local\Temp\YOU.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Local\untrashed\avenses.exe
      "C:\Users\Admin\AppData\Local\Temp\YOU.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\YOU.exe"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2920
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient2.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1732
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient2.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2916
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient2" /tr "C:\Users\Admin\AppData\Roaming\XClient2.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2612
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {72180ED0-C09A-48E8-8243-B1A54F68ADA7} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Roaming\XClient2.exe
      C:\Users\Admin\AppData\Roaming\XClient2.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1156
    • C:\Users\Admin\AppData\Roaming\XClient2.exe
      C:\Users\Admin\AppData\Roaming\XClient2.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    2c1e2d659e249e316fa74001f4c821a1

    SHA1

    bff64dfd0e4cc8e09b2d0e0a1ef0a7a857f0a27c

    SHA256

    eb53d351178b27c17ce347fc3bedb11566dc3d0143f8be6effb283b395e7d1c7

    SHA512

    ca09ad1fbf1bbe42c49650b8350c395cd900e1bba9037a14ff763613375f7a4ebcf05929b8134546d234f5411b43938a45de7463018a890623a491d54b062a0a

  • \Users\Admin\AppData\Local\untrashed\avenses.exe

    Filesize

    955KB

    MD5

    eb86db27432e31d958931668b20dd18d

    SHA1

    12a8af666e5f1018071b46cb04df4a34384bb6be

    SHA256

    5f0a6832da6604ee51d0072fa8ae6ad9b0151074c30c6a08acaad43d339abdf7

    SHA512

    545b2ccdadb21aadc12a820ede8d4a730614d430816745aae817a4110cc36fa6891ff04e206d020f914debd388257222afcbbead55a2d88cd13e9e72b9ac938e

  • \Users\Admin\AppData\Roaming\XClient2.exe

    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • memory/640-56-0x0000000001050000-0x000000000105E000-memory.dmp

    Filesize

    56KB

  • memory/640-57-0x0000000000200000-0x0000000000220000-memory.dmp

    Filesize

    128KB

  • memory/1156-52-0x0000000000370000-0x000000000037E000-memory.dmp

    Filesize

    56KB

  • memory/1156-53-0x00000000008C0000-0x00000000008E0000-memory.dmp

    Filesize

    128KB

  • memory/1448-5-0x0000000000120000-0x0000000000128000-memory.dmp

    Filesize

    32KB

  • memory/2688-24-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

    Filesize

    4KB

  • memory/2688-23-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2688-47-0x0000000073D30000-0x000000007441E000-memory.dmp

    Filesize

    6.9MB

  • memory/2688-48-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

    Filesize

    4KB

  • memory/2688-49-0x0000000073D30000-0x000000007441E000-memory.dmp

    Filesize

    6.9MB

  • memory/2688-21-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/2688-19-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB