Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
-
Size
535KB
-
Sample
240503-ezsv5shb26
-
MD5
11484da8db8f1bbeaff9b8b4b7387e7d
-
SHA1
8604e6082a89f9731beba669de3520788dd70d6a
-
SHA256
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767
-
SHA512
54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53
-
SSDEEP
6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N
Static task
static1
Behavioral task
behavioral1
Sample
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
Resource
win7-20240419-en
Malware Config
Extracted
xworm
your-purchasing.gl.at.ply.gg:35731
logo-active.gl.at.ply.gg:25835
-
Install_directory
%AppData%
-
install_file
System.exe
Targets
-
-
Target
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe
-
Size
535KB
-
MD5
11484da8db8f1bbeaff9b8b4b7387e7d
-
SHA1
8604e6082a89f9731beba669de3520788dd70d6a
-
SHA256
66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767
-
SHA512
54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53
-
SSDEEP
6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1