Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
YOU.exe
Resource
win7-20240903-en
General
-
Target
YOU.exe
-
Size
955KB
-
MD5
eb86db27432e31d958931668b20dd18d
-
SHA1
12a8af666e5f1018071b46cb04df4a34384bb6be
-
SHA256
5f0a6832da6604ee51d0072fa8ae6ad9b0151074c30c6a08acaad43d339abdf7
-
SHA512
545b2ccdadb21aadc12a820ede8d4a730614d430816745aae817a4110cc36fa6891ff04e206d020f914debd388257222afcbbead55a2d88cd13e9e72b9ac938e
-
SSDEEP
24576:Iu6J33O0c+JY5UZ+XC0kGso6Fak67DeQlaWY:iu0c++OCvkGs9Fak8DY
Malware Config
Extracted
xworm
176.96.137.181:2222
-
Install_directory
%AppData%
-
install_file
XClient2.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/memory/2688-19-0x0000000000400000-0x000000000041A000-memory.dmp family_xworm behavioral1/memory/2688-21-0x0000000000400000-0x000000000041A000-memory.dmp family_xworm behavioral1/memory/2688-23-0x0000000000400000-0x000000000041A000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2920 powershell.exe 2564 powershell.exe 1732 powershell.exe 2916 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avenses.vbs avenses.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient2.lnk RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient2.lnk RegSvcs.exe -
Executes dropped EXE 3 IoCs
pid Process 2776 avenses.exe 1156 XClient2.exe 640 XClient2.exe -
Loads dropped DLL 2 IoCs
pid Process 1448 YOU.exe 2688 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient2 = "C:\\Users\\Admin\\AppData\\Roaming\\XClient2.exe" RegSvcs.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000016c89-7.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2776 set thread context of 2688 2776 avenses.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XClient2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XClient2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avenses.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2612 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2920 powershell.exe 2564 powershell.exe 1732 powershell.exe 2916 powershell.exe 2688 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2776 avenses.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2688 RegSvcs.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 2688 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1448 YOU.exe 1448 YOU.exe 2776 avenses.exe 2776 avenses.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1448 YOU.exe 1448 YOU.exe 2776 avenses.exe 2776 avenses.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2688 RegSvcs.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2776 1448 YOU.exe 30 PID 1448 wrote to memory of 2776 1448 YOU.exe 30 PID 1448 wrote to memory of 2776 1448 YOU.exe 30 PID 1448 wrote to memory of 2776 1448 YOU.exe 30 PID 2776 wrote to memory of 2688 2776 avenses.exe 31 PID 2776 wrote to memory of 2688 2776 avenses.exe 31 PID 2776 wrote to memory of 2688 2776 avenses.exe 31 PID 2776 wrote to memory of 2688 2776 avenses.exe 31 PID 2776 wrote to memory of 2688 2776 avenses.exe 31 PID 2776 wrote to memory of 2688 2776 avenses.exe 31 PID 2776 wrote to memory of 2688 2776 avenses.exe 31 PID 2776 wrote to memory of 2688 2776 avenses.exe 31 PID 2688 wrote to memory of 2920 2688 RegSvcs.exe 32 PID 2688 wrote to memory of 2920 2688 RegSvcs.exe 32 PID 2688 wrote to memory of 2920 2688 RegSvcs.exe 32 PID 2688 wrote to memory of 2920 2688 RegSvcs.exe 32 PID 2688 wrote to memory of 2564 2688 RegSvcs.exe 34 PID 2688 wrote to memory of 2564 2688 RegSvcs.exe 34 PID 2688 wrote to memory of 2564 2688 RegSvcs.exe 34 PID 2688 wrote to memory of 2564 2688 RegSvcs.exe 34 PID 2688 wrote to memory of 1732 2688 RegSvcs.exe 36 PID 2688 wrote to memory of 1732 2688 RegSvcs.exe 36 PID 2688 wrote to memory of 1732 2688 RegSvcs.exe 36 PID 2688 wrote to memory of 1732 2688 RegSvcs.exe 36 PID 2688 wrote to memory of 2916 2688 RegSvcs.exe 38 PID 2688 wrote to memory of 2916 2688 RegSvcs.exe 38 PID 2688 wrote to memory of 2916 2688 RegSvcs.exe 38 PID 2688 wrote to memory of 2916 2688 RegSvcs.exe 38 PID 2688 wrote to memory of 2612 2688 RegSvcs.exe 40 PID 2688 wrote to memory of 2612 2688 RegSvcs.exe 40 PID 2688 wrote to memory of 2612 2688 RegSvcs.exe 40 PID 2688 wrote to memory of 2612 2688 RegSvcs.exe 40 PID 2024 wrote to memory of 1156 2024 taskeng.exe 44 PID 2024 wrote to memory of 1156 2024 taskeng.exe 44 PID 2024 wrote to memory of 1156 2024 taskeng.exe 44 PID 2024 wrote to memory of 1156 2024 taskeng.exe 44 PID 2024 wrote to memory of 1156 2024 taskeng.exe 44 PID 2024 wrote to memory of 1156 2024 taskeng.exe 44 PID 2024 wrote to memory of 1156 2024 taskeng.exe 44 PID 2024 wrote to memory of 640 2024 taskeng.exe 47 PID 2024 wrote to memory of 640 2024 taskeng.exe 47 PID 2024 wrote to memory of 640 2024 taskeng.exe 47 PID 2024 wrote to memory of 640 2024 taskeng.exe 47 PID 2024 wrote to memory of 640 2024 taskeng.exe 47 PID 2024 wrote to memory of 640 2024 taskeng.exe 47 PID 2024 wrote to memory of 640 2024 taskeng.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\YOU.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\untrashed\avenses.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"3⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegSvcs.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient2.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient2.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient2" /tr "C:\Users\Admin\AppData\Roaming\XClient2.exe"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2612
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {72180ED0-C09A-48E8-8243-B1A54F68ADA7} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\XClient2.exeC:\Users\Admin\AppData\Roaming\XClient2.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156
-
-
C:\Users\Admin\AppData\Roaming\XClient2.exeC:\Users\Admin\AppData\Roaming\XClient2.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:640
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52c1e2d659e249e316fa74001f4c821a1
SHA1bff64dfd0e4cc8e09b2d0e0a1ef0a7a857f0a27c
SHA256eb53d351178b27c17ce347fc3bedb11566dc3d0143f8be6effb283b395e7d1c7
SHA512ca09ad1fbf1bbe42c49650b8350c395cd900e1bba9037a14ff763613375f7a4ebcf05929b8134546d234f5411b43938a45de7463018a890623a491d54b062a0a
-
Filesize
955KB
MD5eb86db27432e31d958931668b20dd18d
SHA112a8af666e5f1018071b46cb04df4a34384bb6be
SHA2565f0a6832da6604ee51d0072fa8ae6ad9b0151074c30c6a08acaad43d339abdf7
SHA512545b2ccdadb21aadc12a820ede8d4a730614d430816745aae817a4110cc36fa6891ff04e206d020f914debd388257222afcbbead55a2d88cd13e9e72b9ac938e
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215