Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Iinpdftw.exe

  • Size

    4.7MB

  • Sample

    240615-fwm16atcrr

  • MD5

    a9cb0e951c7ede7c23b5ba350b4920fd

  • SHA1

    a16b2377a77e86b2a2cd27d58c44218e8aaa1a66

  • SHA256

    0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864

  • SHA512

    300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4

  • SSDEEP

    24576:VwtcEr/TQ/8YlE33S3++12pt/R31ggXSe1dFwUMWo8zrC9b84opK76iV7+rt9V23:rz

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

Mc35OpRlVfHYgK3s

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/EiiXCJbn

aes.plain

Targets

    • Target

      Iinpdftw.exe

    • Size

      4.7MB

    • MD5

      a9cb0e951c7ede7c23b5ba350b4920fd

    • SHA1

      a16b2377a77e86b2a2cd27d58c44218e8aaa1a66

    • SHA256

      0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864

    • SHA512

      300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4

    • SSDEEP

      24576:VwtcEr/TQ/8YlE33S3++12pt/R31ggXSe1dFwUMWo8zrC9b84opK76iV7+rt9V23:rz

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks