Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    проверка.rar

  • Size

    67KB

  • Sample

    240601-vkq11ahc3y

  • MD5

    e89a677ddfa8a60aeb45e72531e46847

  • SHA1

    ae5f8093367716bf77003276f9886e6869fa9b19

  • SHA256

    0405ea85262008c736e2113f4fbfa1b9eadc1e59fea50737ed5edb4326f686a9

  • SHA512

    86d138e41045c77251d88e9a93649ce5591c3c743a026e8d68923b89c0a7e1b9adb04ffeb64869025c5599544dc03d815b9594392a2869e87753d80a7225796c

  • SSDEEP

    1536:gSQMWjVGooE2vo7Ugl77wYAMHWwHVBhxmnZPVA5H:dQGob2vKl5HHvJy2H

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:65468

speed-wheat.gl.at.ply.gg:65468

XWorm V5.2:123

Attributes
  • Install_directory

    %AppData%

  • install_file

    Delta.exe

Targets

    • Target

      проверка.rar

    • Size

      67KB

    • MD5

      e89a677ddfa8a60aeb45e72531e46847

    • SHA1

      ae5f8093367716bf77003276f9886e6869fa9b19

    • SHA256

      0405ea85262008c736e2113f4fbfa1b9eadc1e59fea50737ed5edb4326f686a9

    • SHA512

      86d138e41045c77251d88e9a93649ce5591c3c743a026e8d68923b89c0a7e1b9adb04ffeb64869025c5599544dc03d815b9594392a2869e87753d80a7225796c

    • SSDEEP

      1536:gSQMWjVGooE2vo7Ugl77wYAMHWwHVBhxmnZPVA5H:dQGob2vKl5HHvJy2H

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks