Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XClient.exe

windows7-x64

10

XClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/03/2025, 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    207KB

  • MD5

    6871607d92969776391efd493707eedc

  • SHA1

    4a081720e336df47324b3a6e214e0be28754c07a

  • SHA256

    90315fd137f2160e8d11223200c03bc2488f906007a5511240b29e1773596827

  • SHA512

    74e437d5c95fc8019e954b93d71f6f0fe9bd8dc843153c791336bdee6ab25ed1fd3d75efa90645a60fa44c9cb43bf3dac20358d29fdbcadf157ccb559d8a2b12

  • SSDEEP

    1536:Ks12gfnC6iy/PuF99N0z6POCZ0wLU7uS+ENi9:nfJ2F99N06OC1LUXk9

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

thetest.selfhost.co:1339

Mutex

6fb9p9QDJ0BS5PDw

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    DirectOutputService.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Defender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2240
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\ProgramData\Windows Defender"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4840
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows Defender"
      2⤵
        PID:5080
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCBF6.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4356
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:3060
    • C:\ProgramData\Windows Defender
      "C:\ProgramData\Windows Defender"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Windows Defender
      Filesize

      207KB

      MD5

      6871607d92969776391efd493707eedc

      SHA1

      4a081720e336df47324b3a6e214e0be28754c07a

      SHA256

      90315fd137f2160e8d11223200c03bc2488f906007a5511240b29e1773596827

      SHA512

      74e437d5c95fc8019e954b93d71f6f0fe9bd8dc843153c791336bdee6ab25ed1fd3d75efa90645a60fa44c9cb43bf3dac20358d29fdbcadf157ccb559d8a2b12

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d6f3ebd2b805d2f9e26bd69cc815565e

      SHA1

      21b63de042a4de9f123972f34d517462245f0481

      SHA256

      6ebb2a11cf144b31918622ac4afa79fad35b1f0b1dacb02dc15a4bc82bf89c49

      SHA512

      3c2c65cdb9a289dd64e445ccea33cb90f3b3c1e5b4d491009aed54991a5ae8acc072b30472ad0ecefea84ed2d72b72a74672ff10d77b8a562f0e0b194e9095e5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      eb1ad317bd25b55b2bbdce8a28a74a94

      SHA1

      98a3978be4d10d62e7411946474579ee5bdc5ea6

      SHA256

      9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

      SHA512

      d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5cfe303e798d1cc6c1dab341e7265c15

      SHA1

      cd2834e05191a24e28a100f3f8114d5a7708dc7c

      SHA256

      c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

      SHA512

      ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4ikmnhc.hc5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCBF6.tmp.bat
      Filesize

      159B

      MD5

      e38da856d50d78a768d1ef84be0ab8da

      SHA1

      a8d5b828693bbfeb81090649cd6247846a7784cb

      SHA256

      296f500baff99c4543a11b0d9d0e5344e899576d3551bd6821e433d5792e0e2f

      SHA512

      ff60e65a84cb606b15091eee12bd6d9ffea8f0db94a1851388e74b728975e3e4b64b4828fae450296a04a54bd5e99e6cc0dc5f224bcd0c4d53a79f9553b14a40

      Download Submit

    • memory/220-12-0x00007FFBF4250000-0x00007FFBF4D11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/220-16-0x00007FFBF4250000-0x00007FFBF4D11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/220-13-0x00007FFBF4250000-0x00007FFBF4D11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/220-11-0x000001B4D82D0000-0x000001B4D82F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4480-0-0x00007FFBF4253000-0x00007FFBF4255000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4480-54-0x00007FFBF4250000-0x00007FFBF4D11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4480-55-0x00007FFBF4253000-0x00007FFBF4255000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4480-59-0x00007FFBF4250000-0x00007FFBF4D11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4480-65-0x00007FFBF4250000-0x00007FFBF4D11000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4480-1-0x00000000007E0000-0x0000000000818000-memory.dmp

      Filesize

      224KB

      Download