Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/03/2025, 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    77KB

  • MD5

    1fdd77cb12693ba80efbe8a5463b34b0

  • SHA1

    a28daa287556525ef8d54f4244fac761b9be9dc3

  • SHA256

    03075f33cfb3ba600a7312a2c6ed5a26dd2e2d210913f70a471f1a120e501891

  • SHA512

    e635f719d5e4a3a394ef348e5324c4e407427f00354e0ba9bc7cd25a3e966ecbd045211141a2c3156d1caf4459fd813b772595e74df06426bc9fd884e7e0f7d1

  • SSDEEP

    1536:G8XGqHq8FQcOUQKHMC6YhEE+b/dYMYHbaPT+OpsE6dKWOKeexI3Y:G822qMWKsvE+b/SMkbCZmKWOXlY

Score
10/10
xwormbootkitdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

cause-indexes.gl.at.ply.gg:17210

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3392
    • C:\Users\Admin\AppData\Local\Temp\ohodhi.exe
      "C:\Users\Admin\AppData\Local\Temp\ohodhi.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Windows\SysWOW64\reg.exe
          REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4368
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C0
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    7d760ca2472bcb9fe9310090d91318ce

    SHA1

    cb316b8560b38ea16a17626e685d5a501cd31c4a

    SHA256

    5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

    SHA512

    141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    81dc356768c666a613df994ba756b09f

    SHA1

    0f6768127d68715e688518e7a7d9159114e71d11

    SHA256

    f12f8ba2539036e660cf18f58da225e0d3571906b89797bc5308b745423e79bb

    SHA512

    83f7344aba829fb83dcff48d2c9be8e4ccd6d1d3659d1b77e6867852002166f5fd1e45649dc97bec5283370ed46963ea5aa7d43db446fb2d6544dde2a1b1c605

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a77a224739207f33f335113eaed5267b

    SHA1

    4e99ac40069abef2c4a41761762c9ff2518fe733

    SHA256

    8567db24e2be485cde92b736d059a72db8e900f696039846802b9c0151d60559

    SHA512

    66ee305219fbe8e30b2f6680db3552f156aa2a16c137a35f960c33d0de730c9f5f71781367c4fd8bb0f9035d180a26b5ad22d53bc35537c2b4b6b71d13b963a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lbhwfeyd.hct.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ohodhi.exe
    Filesize

    63KB

    MD5

    2cf51977ed60a9a59d29a72075ce52ad

    SHA1

    960e40eaa8445c0049d11f97abba7f4b465ad4d5

    SHA256

    64735679e70b0d6e67198c28df11cf449dc114df01f6c336d61a9da39448f853

    SHA512

    bfcad9e99ff0dfd2cd917b8160cccab3710ed9974a6c15ea7dd1b0db965a51eec5ac588a87c4bab37af60504a3deb4f11de0a4d93a0c3648673b0dc0824646ad

    Download Submit

  • memory/8-70-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1428-55-0x00007FFA7ECB0000-0x00007FFA7F772000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1428-53-0x00007FFA7ECB0000-0x00007FFA7F772000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1428-54-0x00007FFA7ECB3000-0x00007FFA7ECB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1428-0-0x00007FFA7ECB3000-0x00007FFA7ECB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1428-57-0x0000000001510000-0x000000000151C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1428-69-0x0000000001520000-0x00000000015AE000-memory.dmp

    Filesize

    568KB

    Download

  • memory/1428-1-0x0000000000CD0000-0x0000000000CEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2136-17-0x00007FFA7ECB0000-0x00007FFA7F772000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2136-14-0x00007FFA7ECB0000-0x00007FFA7F772000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2136-13-0x00007FFA7ECB0000-0x00007FFA7F772000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2136-12-0x00007FFA7ECB0000-0x00007FFA7F772000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2136-11-0x00007FFA7ECB0000-0x00007FFA7F772000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2136-10-0x0000023F39920000-0x0000023F39942000-memory.dmp

    Filesize

    136KB

    Download