Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe

  • Size

    535KB

  • Sample

    240503-ezsv5shb26

  • MD5

    11484da8db8f1bbeaff9b8b4b7387e7d

  • SHA1

    8604e6082a89f9731beba669de3520788dd70d6a

  • SHA256

    66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767

  • SHA512

    54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53

  • SSDEEP

    6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N

Malware Config

Extracted

Family

xworm

C2

your-purchasing.gl.at.ply.gg:35731

logo-active.gl.at.ply.gg:25835

Attributes
  • Install_directory

    %AppData%

  • install_file

    System.exe

Targets

    • Target

      66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767.exe

    • Size

      535KB

    • MD5

      11484da8db8f1bbeaff9b8b4b7387e7d

    • SHA1

      8604e6082a89f9731beba669de3520788dd70d6a

    • SHA256

      66bc491ac60ff2af35a6b35984b68b5054b8f70b30c1b9e07d1c4e3163fdf767

    • SHA512

      54fabcf2e5e10c73eff2552b1390e849d385b174995eb0dee5c71c8d8395cd58bc89c8eaa78f73dad8e0f95048f951fb24e0e06877ec5be6738af28b730d7f53

    • SSDEEP

      6144:MoEjg84W5xNSuIdNqqS+lsrKAe3Y8l/v:QgE5xwuIKp+N

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks