Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

DeltaClient.exe

windows7-x64

10

DeltaClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2025, 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DeltaClient.exe

  • Size

    1.0MB

  • MD5

    eb67015b03010c123ca71feae9dd650e

  • SHA1

    781ef9f850fed5c05dbd8370ea06a267c95a6acc

  • SHA256

    6f429d58a42e834613002fae6ab2b1b0f955c19830ed9a446904c9fd0c96d703

  • SHA512

    22261e79a66336715287e7a420e2bcef2410da7c1cda333b2dad4ef89076af291adc52f8408e561d69e71428d4fd52e87177f980ff30601bc0fdc7d9f8673274

  • SSDEEP

    24576:L5nlQBTFlRtuKcNzH9zupNdfxfinXpiRyA:ZeTFlVEzBundJanZQyA

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

sackedrai-44446.portmap.host:44446

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeltaClient.exe
    "C:\Users\Admin\AppData\Local\Temp\DeltaClient.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\xclient'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xclient'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4048
    • C:\Users\Admin\AppData\Local\Temp\Starvail.exe
      "C:\Users\Admin\AppData\Local\Temp\Starvail.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1084
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x514 0x558
    1⤵
      PID:244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      07a771c4f31f62b2d04e2befaa36dce7

      SHA1

      662952ede6c1acbb575e8149a5ac2f08edade811

      SHA256

      a2df2570980e1123d9af8e12a27a82d3a4d332f0e7dd44e4e225743207c099b3

      SHA512

      9e339a2d0bfaf5bbe5252f69061652c5880fe1233930830ca7190a65516366e05129907b1656a6790c0093ad82ac73ddee6738d0b78ecb1e3d888f467b889fe9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      10890cda4b6eab618e926c4118ab0647

      SHA1

      1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

      SHA256

      00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

      SHA512

      a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Starvail.exe
      Filesize

      887KB

      MD5

      b51ebe489a541f786d3aaa3c9c3e6405

      SHA1

      2689bde73ef6bc04b9b95f3d3df735e47c0740ee

      SHA256

      ef78da2ae48313ae60685e3c04eae36379c1e9ebcc70a416e0409d21187417ab

      SHA512

      c4c874beaeefa4869015b8d49a562d89a4ee3f546a4bc09422c537cd11b35f4f7d4c7998cad6a537875ff312db8c7cded3d6288d3b4ae777b813f998e520fce1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      Filesize

      63KB

      MD5

      fee58580f8ad4201dbafc4333a539f2b

      SHA1

      f459e730e56649f9a47fe9e476a29434e550e7c3

      SHA256

      32cf120b19b76f156cc7009768d4302fc606ece79b1cfef5fa229c2102cd0533

      SHA512

      7962f3fe1623842da4440d6ef5b1f5f032e9d31bd0cd5df95779fcbb60b99b854cc74622311bba838be024f59ba3d71e7bd4a723ddc609b9c4cf3e9e31fe2bd5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1bo1jvzy.dwj.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\Documents\ClownfishVoiceChanger.ini
      Filesize

      841B

      MD5

      8308bd8db4c9c9ea60fc11a3581f7a2f

      SHA1

      877924821e2c27761813ad835a707890d4b8f795

      SHA256

      3d29a11a654777c1fef734b6bb299d8fc299f70b589dfbe447c4a9ada73a9ce0

      SHA512

      530e3b9e070f85c0308044c6320a7eada0056b704cdfd13c0b3b0a6974a651631bd12f81b486f21149edfb08a78d7c94ea631ec83f558e75b48568cf82feacd3

      Download Submit

    • memory/3484-78-0x0000011C1AF30000-0x0000011C1AF52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4560-20-0x0000000000270000-0x0000000000286000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4560-14-0x00007FFEC01D3000-0x00007FFEC01D5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4560-127-0x00007FFEC01D0000-0x00007FFEC0C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4560-133-0x00007FFEC01D0000-0x00007FFEC0C91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4856-24-0x0000000000400000-0x0000000000508000-memory.dmp

      Filesize

      1.0MB

      Download