Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
receipt_usps.vhd
-
Size
9.0MB
-
Sample
240405-nw49fabe39
-
MD5
835b1e409a1c6bb2c9b4af67fb3b2d71
-
SHA1
f5065d35b91b9ec284cbffc85ee78e7ea8a16389
-
SHA256
16da17a7d922a490fd554b01f0ba1f2cbc46605ac8f8417a233e68a595e24051
-
SHA512
9a9881c822263cea9bd08f552b58fc4d3b21705127e3080df7dabfd29a797c813a33befd1a8361d3e6beb3b4536ba9cad7653511ba92aa32d57fbf19c2add0f9
-
SSDEEP
49152:Nb/WCLE4eDqB4a6imkqcvBjXIjVUgwt5Og:kCQliq0BTI5UIg
Static task
static1
Behavioral task
behavioral1
Sample
logo/receipt.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
logo/receipt.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
parcel_shipping_label.lnk
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
parcel_shipping_label.lnk
Resource
win10v2004-20231215-en
Malware Config
Extracted
xworm
5.0
UxOlPOZZNwNV9srk
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/Dh8E7H3R
Extracted
xworm
3.1
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/Dh8E7H3R
Targets
-
-
Target
logo/receipt.vbs
-
Size
4KB
-
MD5
22d736ac0bfacea4d23dbaf9412d329a
-
SHA1
b2990e0c9f9549b1f8cc3dceec47663b975cbb36
-
SHA256
c5a2fd9c057765f6eb2bde2cc86317b53d8418117c9e1362596e067b44ea7d04
-
SHA512
bfdd54f8e400e9c516cf5c73f1ba17b2a5c44fe9d14ada37efaff35c38d30c7849ad1dfb32a3d877742631a60c462832e079994de5fe65044a2941eaa0770904
-
SSDEEP
96:LQUUjcFSoSqUnPkPKOTK6yjbo+yHQUJ8fLGZ2k7:dYcFh5UsPKOTJcoLMw2k7
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
parcel_shipping_label.lnk
-
Size
1002B
-
MD5
a0abe64514f25b2564718dadc6f077c9
-
SHA1
aa6b93ee0817e74d66d8fbcb475442d7071c1b6f
-
SHA256
82ba6734f458e88dc2465ff8152fb0de8a33e08163da64c9653d8c89f9dae8c2
-
SHA512
ff504e33e1dbd8af157e6c1fb3fdfc0d8fe735e1f347cd90f9cc15ec04151b06078e1d926b9fd25e817d2417185ad1972d759f113d96c2c3595d2ec88cfc4402
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-