Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Iinpdftw.exe
-
Size
4.7MB
-
Sample
240615-fwm16atcrr
-
MD5
a9cb0e951c7ede7c23b5ba350b4920fd
-
SHA1
a16b2377a77e86b2a2cd27d58c44218e8aaa1a66
-
SHA256
0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864
-
SHA512
300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4
-
SSDEEP
24576:VwtcEr/TQ/8YlE33S3++12pt/R31ggXSe1dFwUMWo8zrC9b84opK76iV7+rt9V23:rz
Static task
static1
Malware Config
Extracted
xworm
5.0
Mc35OpRlVfHYgK3s
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/EiiXCJbn
Targets
-
-
Target
Iinpdftw.exe
-
Size
4.7MB
-
MD5
a9cb0e951c7ede7c23b5ba350b4920fd
-
SHA1
a16b2377a77e86b2a2cd27d58c44218e8aaa1a66
-
SHA256
0b75189b6f3d6e031159d20e351d60f6dd8956642e16d55083936096f73eb864
-
SHA512
300111595b2ea4fc3143b25faca8f97e27286221456c792f5ea80b3fe066baf5d1d2fcca122ebe17362ea3f26fdb06388356be122389229745972bb6d0b6fad4
-
SSDEEP
24576:VwtcEr/TQ/8YlE33S3++12pt/R31ggXSe1dFwUMWo8zrC9b84opK76iV7+rt9V23:rz
-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-