Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Deanonn by nazar 2024!!! +key.exe

  • Size

    67KB

  • Sample

    240530-ms4casee7x

  • MD5

    eafc6737830999d00a40a86049561243

  • SHA1

    a93b09e934e340f533c2d6b4ddc7b6cb85773e5b

  • SHA256

    ac86f775c65dffbaa91ad0dd4777d10feffef7f0088e73300940953f26a479d7

  • SHA512

    88137c28e1f618fc4fbbd2dc386c83b965cfab5c215d9277eb67afa14fd5c9d61f914c033dc24698c13fae435419f3843313086e35737ee38769a54f31613183

  • SSDEEP

    1536:7flEdkZzr89H2WwvAU6fFBxlTbeUgDf/c6gKO894Vj7cEgP:7f3w6297xbeVDf/bO8CVjvO

Malware Config

Extracted

Family

xworm

C2

registered-martial.gl.at.ply.gg:62460

Attributes
  • Install_directory

    %Temp%

  • install_file

    XClient.exe

Targets

    • Target

      Deanonn by nazar 2024!!! +key.exe

    • Size

      67KB

    • MD5

      eafc6737830999d00a40a86049561243

    • SHA1

      a93b09e934e340f533c2d6b4ddc7b6cb85773e5b

    • SHA256

      ac86f775c65dffbaa91ad0dd4777d10feffef7f0088e73300940953f26a479d7

    • SHA512

      88137c28e1f618fc4fbbd2dc386c83b965cfab5c215d9277eb67afa14fd5c9d61f914c033dc24698c13fae435419f3843313086e35737ee38769a54f31613183

    • SSDEEP

      1536:7flEdkZzr89H2WwvAU6fFBxlTbeUgDf/c6gKO894Vj7cEgP:7f3w6297xbeVDf/bO8CVjvO

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks