Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    WaveTrial.exe

  • Size

    86KB

  • Sample

    240529-fkk3esbb2z

  • MD5

    5cb8f4aa69339acc85ef9d2ca60b0c07

  • SHA1

    bb12de5f0a59eda98ba82e4a81dd24d80b8d7844

  • SHA256

    d8f968a5732220f35ab7094f13537d1d68405ed10362737848a87e5a71773e9d

  • SHA512

    f8908f96cfff0498b977c2d790709cc02408068999f520a9727e3eff4e260092fd1c1b8fcf13d0cc217298f0e91a0b55fb30f88bba515fa08ed8b66465c07540

  • SSDEEP

    1536:VVOy37Fk3kKmog7DldgQatSL4Jj6+l7lbOL5zWx1fRkTqP6nPbuE1ONz5UrQWSK0:ctmog7DjgfmmbO14CP3ONzCrQC0

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:2619

20.ip.gl.ply.gg:2619

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      WaveTrial.exe

    • Size

      86KB

    • MD5

      5cb8f4aa69339acc85ef9d2ca60b0c07

    • SHA1

      bb12de5f0a59eda98ba82e4a81dd24d80b8d7844

    • SHA256

      d8f968a5732220f35ab7094f13537d1d68405ed10362737848a87e5a71773e9d

    • SHA512

      f8908f96cfff0498b977c2d790709cc02408068999f520a9727e3eff4e260092fd1c1b8fcf13d0cc217298f0e91a0b55fb30f88bba515fa08ed8b66465c07540

    • SSDEEP

      1536:VVOy37Fk3kKmog7DldgQatSL4Jj6+l7lbOL5zWx1fRkTqP6nPbuE1ONz5UrQWSK0:ctmog7DjgfmmbO14CP3ONzCrQC0

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks