Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
-
Size
724KB
-
Sample
240524-bgzzysff41
-
MD5
6e1e63e97c09758e3db18ea31bd95284
-
SHA1
6f4a188d43122d22a14459123764a094ed56b37c
-
SHA256
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
-
SHA512
0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
-
SSDEEP
12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8
Static task
static1
Behavioral task
behavioral1
Sample
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
Resource
win7-20240221-en
Malware Config
Extracted
xworm
5.0
45.141.27.41:7000
9ZF9ZsOZGh1T1r1n
-
Install_directory
%Public%
-
install_file
csrss.exe
Targets
-
-
Target
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
-
Size
724KB
-
MD5
6e1e63e97c09758e3db18ea31bd95284
-
SHA1
6f4a188d43122d22a14459123764a094ed56b37c
-
SHA256
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
-
SHA512
0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
-
SSDEEP
12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8
-
Detect Xworm Payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables (downlaoders) containing URLs to raw contents of a paste
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-