Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

App.exe

windows7-x64

7

App.exe

windows10-2004-x64

7

Freemasonry (2).exe

windows7-x64

10

Freemasonry (2).exe

windows10-2004-x64

10

Freemasonry.exe

windows7-x64

3

Freemasonry.exe

windows10-2004-x64

7

NisSrv.exe

windows7-x64

10

NisSrv.exe

windows10-2004-x64

10

Presentati...he.exe

windows7-x64

1

Presentati...he.exe

windows10-2004-x64

10

SecurityHe...2).exe

windows7-x64

10

SecurityHe...2).exe

windows10-2004-x64

10

SessionService.exe

windows7-x64

10

SessionService.exe

windows10-2004-x64

10

SgrmBroker.exe

windows7-x64

10

SgrmBroker.exe

windows10-2004-x64

10

SocketHeciServer.exe

windows7-x64

10

SocketHeciServer.exe

windows10-2004-x64

10

cmd.exe

windows7-x64

10

cmd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a chunk of shit.rar

  • Size

    3.5MB

  • Sample

    240204-k2flgsgbhk

  • MD5

    ebe6a4fc37e257521bfbe3c593179e39

  • SHA1

    bc0bf4cc638f7e3dd90f6d6cecdb33ea4ed3cf91

  • SHA256

    ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

  • SHA512

    71091fb188e78a9a0adb1dbd00ee7f76aacf706a99fd039386bfed28f4f7bfbd73274229dda711a1d3f8c1c98a05817a81d7bcde282b34540b1f50651d8b02a1

  • SSDEEP

    98304:egd23vOGWgsB/mhZdBxXivtJ7dRHdbLyJo12nuRW6D7:eg+PhZd+1X5db+uR17

Score
10/10
umbralxwormratstealertrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

209.25.143.223:505

Attributes
  • Install_directory

    %AppData%

aes.plain

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1188379475021410374/Ssj5Ns9zjIl8_hao3wt15snRVqwtBYjDt8QLCtqPC4z6ltGHrqIRWciPemKhTAJ3Ea_2

Targets

    • Target

      App.pif

    • Size

      2.9MB

    • MD5

      d6655c8f5158766bf2e91da966403580

    • SHA1

      85da9aa520bee8965af536347a1c05d54b6410fd

    • SHA256

      5a7bce33bbc1301553999bbd79747e8cef41dfae07e95474bd61cd5ae501f326

    • SHA512

      f2bf55cac91325c99372609777cfd08d0510b59886055b3e436dbedffc84dbf45ba237593cf2399f1795279a7df412a4a7ef73dce5b6abc9dfdb3f0b5bc4e6c5

    • SSDEEP

      49152:XnQT/qnwwnZQKuvYSKU/ESvdaU+c0/IVes7kJXBjYOMjUfkptVxOdxiy:XQTdwnBgYSKU/xvzg/IVeMjUu5

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      Freemasonry (2).exe

    • Size

      5KB

    • MD5

      ff7e6dfa113f9f87601e895a40260678

    • SHA1

      8e313c176605587b2d9b7111d35c5b51f09f6606

    • SHA256

      156c9e8bef9013a1b498d6ba5aa8582ec7f2d02e6123ac777bca863f087e7c62

    • SHA512

      53975519c17bf8b24ca46e0326a084e7959e475c47c4e8cd74672dd1a2df570279dd34801460b3fcd630f581aaaff12058b77f09414b411ddac285cc8db45bed

    • SSDEEP

      48:6in5YDNwtZdLP10NjDCPp9glLGoNMDyxAoQ5WD9KLGNI6iqAa54tdXl4f59FWpfG:UDOrVmGIIy8UBKS26iBmBQzNt

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm
    behavioral3behavioral4

    • Target

      Freemasonry.exe

    • Size

      7KB

    • MD5

      eeb0f31878b07f58b2d4095392134dba

    • SHA1

      a1a8a59656d8a3e43dc10118138a2cfd6cd071a5

    • SHA256

      a66cb74d56e1b85a50416a7cc63180e94f4f556f96dd7bbb863cf17433b2cee2

    • SHA512

      fe95c4b94eec74cd83e40437e70bd472368bd63b14da8535367c813814c2c226f7edade9ab3e994332143b989186dd02eabf5c32fbaabb6b6faf6d63a33addc9

    • SSDEEP

      96:16Mt8AFKh9ibN42TgWv4rJsHV3mQgepEmkOzNt:Dt8AFKPYecgy49sHV3mQg3hI

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5behavioral6

    • Target

      NisSrv.exe

    • Size

      286KB

    • MD5

      4105f6abba105cc27f89c2ebfc0c06b9

    • SHA1

      416adb89cdf50bc1dffd5d386a391a2c32bec3a9

    • SHA256

      dddac27a8c4fc66d1fdbe65cddae474b50f5b21a0bdc7f02594426089d898cc8

    • SHA512

      c73a124afa416227b7b9e297934e5f454f7fe5bab229e0e95a633517bffbd61026accaa6c0573757be5e2f60afc80bcaf70000a20d9b60190935715c8d206541

    • SSDEEP

      6144:pu0CsWLsWwYnZqiXMhD5RL3t8os+E4sch8pP6Dv8NubGv3xcD89eL:4CWNwuZvXMB5DuGsch8QDvt8i

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral7behavioral8

    • Target

      PresentationFontCache.exe

    • Size

      705KB

    • MD5

      78c86cfe603739c575a5290d8b5bb85c

    • SHA1

      52e98defa2d9d428054695e47097cd330cd4a4f1

    • SHA256

      1dc33731f7d9da075f20e3900ca8e3c6c593c637fa32703123347bfaae3917f0

    • SHA512

      d740bf68c7a4a7200a24926d6b06f3184b5a2d3ac1e7debc4a4eb5f76935c8416c223f802cc3ad5179d641eda92b06687c1a16dc088f626fb71bd412e124c637

    • SSDEEP

      12288:ehGB+EDfS8sKMvqg6YBYiZfJMT9hMnJicP8YDTvNC9jCxjt:ehS+EDfSSMvqDYWiZuTrMnkcECTvNKW

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral10behavioral9

    • Target

      SecurityHealthService (2).exe

    • Size

      863KB

    • MD5

      e52b5a8920cb3377b0b965cff2511976

    • SHA1

      750741e2b260c02f0e0c1f0a556630fd65aa04e1

    • SHA256

      817875231b62f3c9513a011b6d008592bb37178b07f163f3d517170516ea8c1b

    • SHA512

      ee9f8702d46343eed8a5c3f3755967f20f3c844af608150a926152da0828c31708f585280c004a5615e08cf9742fb9089a728ecf4d9360e29b51d9bd78e8060b

    • SSDEEP

      24576:+mKZ0BH6VpcusvRVl/1C+ZiBnonvsciQvtEMvqDYWiZuTrMnkcECTvNh:+f0BH3Zv93iBnqWZYtuTr4j

    Score
    10/10
    umbralxwormratstealertrojan

    • Detect Umbral payload

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      SessionService.exe

    • Size

      117KB

    • MD5

      14e30c16018099515838579930a91203

    • SHA1

      76bbf81a1b5bcab232641c190a44051252b82c2a

    • SHA256

      66cab06a5f9a15057d4a6a7beeee553b74b039ab7e918c2435f1da68ddccc84a

    • SHA512

      e3e599be9c51e8f5597b31f7ded0cfbfc1a748a393b16540015ea53325a04098e93dfead4b370b2dd48b2295531b3e9b3a38bf685f96a49b4fc1e6e03ce9b731

    • SSDEEP

      1536:drOoAFyXOnznmTBw0FG51bvJB6rP06I4HwcOn10ZomIcoKCE45nHQK:5OnIYnmFg1bRgO4DOnCvIctm

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

    • Target

      SgrmBroker.exe

    • Size

      771KB

    • MD5

      bda31b88c53cee7ee196b15f4f6ed413

    • SHA1

      ae530f0d0459cea03e6d362e6a88c066a60e31e6

    • SHA256

      d4965411f163368758c151b7d90bccfebe2067f65472847701cc880d00e15bab

    • SHA512

      5b34cd28d5a5dfca43e5f2d9cf7cc156aff344b2b2c5625dfd387d81a5755d8afcb09ae723c3d76ea08930a84f92f83e8c72afc011ec61c836c27edd2b47155f

    • SSDEEP

      12288:NcREkD5DFr/cp9gxh/xiAa5HLL4UYUdcpc3RrC2H1VdPQz2XzUBWOKK1sS/78yrA:NcR1vUbXvdPS1WmsS/FM

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm
    behavioral15behavioral16

    • Target

      SocketHeciServer.exe

    • Size

      326KB

    • MD5

      b31a895d0c68b927f671ad83cd75746a

    • SHA1

      feeeb2c2221b40f07eb5f8a61b42fa74b515777d

    • SHA256

      dfffdd9f71b964ea17dec2660be833b0ecf007e239a3e44f4b8108967557d78a

    • SHA512

      7dde6e228200f7776d5ed2414e4fc1c19f487f8a77719f0af87ad612f605dcc87bd525192d3819c8eb022a9d9e563ab87308d6c08adc70cece6f7b83b2e99e93

    • SSDEEP

      6144:sjJL98jtwguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOksDRb:DjtkKLBwiZlzMB9xgndcP88DvvP

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      cmd.exe

    • Size

      305KB

    • MD5

      17a914cf391fd8afff071aaa9dbb6d0e

    • SHA1

      bdc7aecf8298fc9742cc2d093b39a93d69b56d90

    • SHA256

      fb8ca27363234ce063f034f47bce0ff739273d6880ac93c32ac89750a9bbae3a

    • SHA512

      ccae9abe5e6116fad65699382bf5641a83bd94b7d95ed9159ea0176d2887d226f092ab97cb271d7cacec250c1aa78c0ba8eda75d6e19c6836b2bd2c648f75278

    • SSDEEP

      6144:I7qJFjwoMUnZqaXMhJ99LJJ8KsnlXfEUcP87PyXvUGRhIc/9oLCm:I7qJOBiZlXMT9BwnllcP8WXvvh

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm
    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks