Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

4675673688.wsf

windows7-x64

8

4675673688.wsf

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3b5e7b59138c1eabe859d45503e46ed37ff7afa770c6eab837010661030c36af.zip

  • Size

    3KB

  • Sample

    240307-cpgzsadc29

  • MD5

    7a996462c7ff2b49c097bae22da37122

  • SHA1

    fac9c87c0df223def2c6a8b09cc11059df1ae159

  • SHA256

    3b5e7b59138c1eabe859d45503e46ed37ff7afa770c6eab837010661030c36af

  • SHA512

    241223a4365556e871e14b3318cc736f7ce824bb910b3d9d7e359cfabf92cb752641c42134c37a15f4fa0ad9dac705a491fd8416587624789ccecce0557ea721

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

marxrwo9090.duckdns.org:9090

Mutex

gEEZ3P8N2reeuJje

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      4675673688.wsf

    • Size

      2KB

    • MD5

      0c07189ebd1c455825dedd9d84e75d6e

    • SHA1

      f6d19484d0f2b6fd41b45423422d875c598164d9

    • SHA256

      61b505c575e1717873e1736a0e00e3bc7f216c167a5635b77e6f326f61c6f8a9

    • SHA512

      9079baf79d4ab2bcfe2118915352abedd8a7f591cb629c53a6d1eca47b7d2ab990d58a53dedef5cf5990545c1e21fc7cb37b25de6fb2d2be034b8f3c1dbb8a80

    Score
    10/10
    persistencexwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Detects Windows executables referencing non-Windows User-Agents

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks