Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    912a9f5960f78c14a1bfe528860b5cc5.bin

  • Size

    563KB

  • Sample

    231114-czpglsga8w

  • MD5

    0559bafa89a04e06653a01cdcb3672df

  • SHA1

    8346447f999c7623bec2363da17442789359bbc3

  • SHA256

    16a8928df1da51875715a7bf50162f5601b0a7e6ed357d5c5919188affaa7774

  • SHA512

    56d416972f18e89477eb8f4786230b9e0b33dde5639ea1ee3e372348db5f334a563dfcfc1b97b58d063d0663649744152a1a27943dd05924a3a7e6d12982aa3d

  • SSDEEP

    12288:vqpNGarSiq4wQ4CWz45VQKaMO3QRmphCRKXhahT6FgNNkN:ybDrBDw/gDZadZphMKXK6yPkN

Malware Config

Targets

    • Target

      4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde.exe

    • Size

      753KB

    • MD5

      912a9f5960f78c14a1bfe528860b5cc5

    • SHA1

      6e23c3b72f56358efc066b6ae60d173902a0f033

    • SHA256

      4f49150cb8b4ed358d59ab2d9e15a6161b69658e45e54419c536dd77487a2fde

    • SHA512

      0b09a77600c9df2ece04e6ef4f5ff3ba2779b15f7a33bcfc4ee0c71ebcdbe16b5f9585ec931449427855131a1d265c1e8b76f27a341d0294ac921e3a5a7cd352

    • SSDEEP

      12288:2ufjVpNKUF3OjhlYnf8KPGNaTp7WeqCdmgzKrQXOxTXbebLw7:2sGQOjhlYUUGkp7FzO

    • Detect Xworm Payload

    • Modifies WinLogon for persistence

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks