Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    password.txt.lnk

  • Size

    1KB

  • Sample

    240516-lses9seg3y

  • MD5

    a8d941db4a8f2301c661abff9d0121fa

  • SHA1

    df5ccb18e15bea95a0b9588cf113e4219b15fe22

  • SHA256

    3488fe12c3493039d9eddabf5fb04bf9bb3a54bcd591ab911857b602c85f2e66

  • SHA512

    1f945f0ffea07dae942cc218ea603d9e8a21921513380c71c6a8b81ec88a6d955f4dd8ef6ac966248c0983872ef6e9fd88d866e1387fedb72e77b12c437eed2c

Malware Config

Targets

    • Target

      password.txt.lnk

    • Size

      1KB

    • MD5

      a8d941db4a8f2301c661abff9d0121fa

    • SHA1

      df5ccb18e15bea95a0b9588cf113e4219b15fe22

    • SHA256

      3488fe12c3493039d9eddabf5fb04bf9bb3a54bcd591ab911857b602c85f2e66

    • SHA512

      1f945f0ffea07dae942cc218ea603d9e8a21921513380c71c6a8b81ec88a6d955f4dd8ef6ac966248c0983872ef6e9fd88d866e1387fedb72e77b12c437eed2c

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks