Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
YOU.exe
Resource
win7-20240903-en
General
-
Target
YOU.exe
-
Size
955KB
-
MD5
eb86db27432e31d958931668b20dd18d
-
SHA1
12a8af666e5f1018071b46cb04df4a34384bb6be
-
SHA256
5f0a6832da6604ee51d0072fa8ae6ad9b0151074c30c6a08acaad43d339abdf7
-
SHA512
545b2ccdadb21aadc12a820ede8d4a730614d430816745aae817a4110cc36fa6891ff04e206d020f914debd388257222afcbbead55a2d88cd13e9e72b9ac938e
-
SSDEEP
24576:Iu6J33O0c+JY5UZ+XC0kGso6Fak67DeQlaWY:iu0c++OCvkGs9Fak8DY
Malware Config
Extracted
xworm
176.96.137.181:2222
-
Install_directory
%AppData%
-
install_file
XClient2.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/4304-17-0x0000000000400000-0x000000000041A000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3196 powershell.exe 536 powershell.exe 3820 powershell.exe 4460 powershell.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avenses.vbs avenses.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient2.lnk RegSvcs.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient2.lnk RegSvcs.exe -
Executes dropped EXE 3 IoCs
pid Process 3512 avenses.exe 2300 XClient2.exe 2456 XClient2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient2 = "C:\\Users\\Admin\\AppData\\Roaming\\XClient2.exe" RegSvcs.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000200000001e969-8.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3512 set thread context of 4304 3512 avenses.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YOU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avenses.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XClient2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XClient2.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2712 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3196 powershell.exe 3196 powershell.exe 536 powershell.exe 536 powershell.exe 3820 powershell.exe 3820 powershell.exe 4460 powershell.exe 4460 powershell.exe 4304 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3512 avenses.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4304 RegSvcs.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 3820 powershell.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 4304 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3060 YOU.exe 3060 YOU.exe 3512 avenses.exe 3512 avenses.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3060 YOU.exe 3060 YOU.exe 3512 avenses.exe 3512 avenses.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4304 RegSvcs.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3060 wrote to memory of 3512 3060 YOU.exe 87 PID 3060 wrote to memory of 3512 3060 YOU.exe 87 PID 3060 wrote to memory of 3512 3060 YOU.exe 87 PID 3512 wrote to memory of 4304 3512 avenses.exe 88 PID 3512 wrote to memory of 4304 3512 avenses.exe 88 PID 3512 wrote to memory of 4304 3512 avenses.exe 88 PID 3512 wrote to memory of 4304 3512 avenses.exe 88 PID 4304 wrote to memory of 3196 4304 RegSvcs.exe 93 PID 4304 wrote to memory of 3196 4304 RegSvcs.exe 93 PID 4304 wrote to memory of 3196 4304 RegSvcs.exe 93 PID 4304 wrote to memory of 536 4304 RegSvcs.exe 96 PID 4304 wrote to memory of 536 4304 RegSvcs.exe 96 PID 4304 wrote to memory of 536 4304 RegSvcs.exe 96 PID 4304 wrote to memory of 3820 4304 RegSvcs.exe 98 PID 4304 wrote to memory of 3820 4304 RegSvcs.exe 98 PID 4304 wrote to memory of 3820 4304 RegSvcs.exe 98 PID 4304 wrote to memory of 4460 4304 RegSvcs.exe 101 PID 4304 wrote to memory of 4460 4304 RegSvcs.exe 101 PID 4304 wrote to memory of 4460 4304 RegSvcs.exe 101 PID 4304 wrote to memory of 2712 4304 RegSvcs.exe 104 PID 4304 wrote to memory of 2712 4304 RegSvcs.exe 104 PID 4304 wrote to memory of 2712 4304 RegSvcs.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\YOU.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\untrashed\avenses.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\YOU.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegSvcs.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient2.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient2.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient2" /tr "C:\Users\Admin\AppData\Roaming\XClient2.exe"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2712
-
-
-
-
C:\Users\Admin\AppData\Roaming\XClient2.exeC:\Users\Admin\AppData\Roaming\XClient2.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300
-
C:\Users\Admin\AppData\Roaming\XClient2.exeC:\Users\Admin\AppData\Roaming\XClient2.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142B
MD58c0458bb9ea02d50565175e38d577e35
SHA1f0b50702cd6470f3c17d637908f83212fdbdb2f2
SHA256c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53
SHA512804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD58244c651fde02d7427ffe485be66fe3a
SHA196a198db01a8f615b119c3091aed2293bf29d367
SHA256f9b669fb0de962378903273d011773db4405e63ab1c7dbc29473c52528e3f7f8
SHA5126621066472b90a9a309c4df3fc246083e03e9c61eff8cc48c6fcc32794100691e31ff55c689d453404c463b3581f9b7de7e790d746c800f7775d986fddc94b8d
-
Filesize
18KB
MD5b18f98c8f8e4f97b344d6c7182f7ceb4
SHA1f4b556d7f8b3b5dab90597fa41a6ce805cb97f30
SHA25608cdb6d1d890b6c0e50478de987cf8cac22d5a28d105ad4ed79df3d22667f336
SHA5127478e572e6beac75d6db5789a218ba4a367b8f65be502a8ef18fcfa749c29e7f1d274df6747021386f433b0dd8d0004e95313d3d0e671b6808550e8be9b1244f
-
Filesize
18KB
MD5a49010e00fbc4405da52818258a04034
SHA1d66216df7a22392b54a15796c670e423dc219822
SHA2567c835130b0618247942036948091e2027346a231ddcc97effb184c0ee7606294
SHA51220e488497b014a67a8e3c8d5b10e271255e87e7b1f0a8d6fa2a79f90499b7f09806fd3b583c57ebe291e0a100fb4b4d4035d53029340976ef88b1155ec6af46e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
75KB
MD5f7b1a17b45163be88460855ee2d1a8e6
SHA11362e944185439cdbeda78fabfaae4cc3b6e2808
SHA25642f000296d3ff5241464a865d2f74ded4ec42febbf4f2ccc2787a1fef7eb9a84
SHA5125949bbe9109d5b256622619ebbb09e68754f18a55b43f82a7b579460046dff7765df75d01ad96d46a23b2876cf62724f67821319a5b419be5ba7f9624d05f2a4
-
Filesize
955KB
MD5eb86db27432e31d958931668b20dd18d
SHA112a8af666e5f1018071b46cb04df4a34384bb6be
SHA2565f0a6832da6604ee51d0072fa8ae6ad9b0151074c30c6a08acaad43d339abdf7
SHA512545b2ccdadb21aadc12a820ede8d4a730614d430816745aae817a4110cc36fa6891ff04e206d020f914debd388257222afcbbead55a2d88cd13e9e72b9ac938e
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b