Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

XClient77777.exe

windows10-2004-x64

10

XClient77777.exe

windows10-ltsc 2021-x64

10

XClient77777.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient77777.exe

  • Size

    35KB

  • MD5

    5ea0f5924111a1694b717407703b660f

  • SHA1

    e9c88fbd4a5d00461c18cb44b2c222df45943e22

  • SHA256

    31dfb42cde129b009abfa9dfa7ff5028df923c6fe87520f49cd33a3af14dccfb

  • SHA512

    15aee130c32a50e40ff1347687741e32bb450074fd83288d515dd6ce2bb7047c093c89bb058b8e3226cd39d4ad5fc5e015b1c26286f11d217d9010e5485924fa

  • SSDEEP

    768:jDMfF7zLKYs2Byj5zuddqLb9Fk9wmAO/hZ/y2p:jkF7HKYs/1Md8Fk9wmAO/Xq2p

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

any-attraction.gl.at.ply.gg:27770

Mutex

uSx0YbbkrTZOubR8

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient77777.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient77777.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Hacked By Mikey" /tr "C:\Users\Admin\AppData\Roaming\Hacked By Mikey"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:5124
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5724
  • C:\Users\Admin\AppData\Roaming\Hacked By Mikey
    "C:\Users\Admin\AppData\Roaming\Hacked By Mikey"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5852
  • C:\Users\Admin\AppData\Roaming\Hacked By Mikey
    "C:\Users\Admin\AppData\Roaming\Hacked By Mikey"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5144
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Hacked By Mikey" /tr "C:\Users\Admin\AppData\Roaming\Hacked By Mikey"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Hacked By Mikey.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Hacked By Mikey
    Filesize

    35KB

    MD5

    5ea0f5924111a1694b717407703b660f

    SHA1

    e9c88fbd4a5d00461c18cb44b2c222df45943e22

    SHA256

    31dfb42cde129b009abfa9dfa7ff5028df923c6fe87520f49cd33a3af14dccfb

    SHA512

    15aee130c32a50e40ff1347687741e32bb450074fd83288d515dd6ce2bb7047c093c89bb058b8e3226cd39d4ad5fc5e015b1c26286f11d217d9010e5485924fa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hacked By Mikey.lnk
    Filesize

    789B

    MD5

    943b67940d59347e9fe4d29fe1e70f4b

    SHA1

    677cb2a165d24f0ca07f0cbe8a9a05b8d9bb698a

    SHA256

    2bb7029576844c7d024220143921ad3ea888122397e3cb6b5183d5aa12a559f0

    SHA512

    3df610e88e9d38d6d112968ef87b82610b32f05a50226d5e41a6ad0d4e0c7bbd2c2d10b4c8a8a4bd65afa6359da7d12fd1ecbc49d7df0a9e8eb397b187c82b4c

    Download Submit

  • memory/4184-1-0x0000000000060000-0x0000000000070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4184-5-0x00007FFEC2BE0000-0x00007FFEC36A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4184-6-0x00007FFEC2BE3000-0x00007FFEC2BE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4184-7-0x00007FFEC2BE0000-0x00007FFEC36A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4184-0-0x00007FFEC2BE3000-0x00007FFEC2BE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4184-26-0x00007FFEC2BE0000-0x00007FFEC36A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5144-32-0x000000001AEC0000-0x000000001AECC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/5724-8-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-18-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-17-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-16-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-15-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-19-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-20-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-14-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-9-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5724-10-0x0000021EA4460000-0x0000021EA4461000-memory.dmp

    Filesize

    4KB

    Download