Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

15/06/2024, 13:17

240615-qjcprswbjp 10

15/06/2024, 13:11

240615-qe95gavhrr 10

15/06/2024, 13:08

240615-qdjwws1hjh 10

General

  • Target

    Prism Release.rar

  • Size

    5.0MB

  • Sample

    240615-qe95gavhrr

  • MD5

    2457eb120e8fbef34c97cef775362cc9

  • SHA1

    547d2a58c06febe45ba1f0deabdf68b759f40029

  • SHA256

    1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3

  • SHA512

    e9e4ac28364ccb457000f9863ac3b8616b75bed9b52e815d90d6fceff6305c823df06548263555d81758af5f6fc5d3cfde2fed64e3c774075abf2801a181a4fb

  • SSDEEP

    98304:ehIWTfpVs6CcFSLDyaWHWbv93eBBTWWXBmxvWryhangOJnTo5Q9i:ehIWTh26Cc4LGQ7mrBGWSaLZTkQ9i

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Targets

    • Target

      Prism Release/ByfronHook.dll

    • Size

      21KB

    • MD5

      4e3e92823caeac1203beaa5a35d6dafc

    • SHA1

      893b591d46c39e817052cd05ec969fea74da4233

    • SHA256

      3811858da4b1f5e7f40d1237d7189ddca3989fa0d7b07e87c538f92975b893d2

    • SHA512

      0490e800f1e5c9b38b6c9b56616290f3a7214179e6d993214e3dd742d44d1d669fe5073b5a121c588c05f3e7c0ec576798236ee94e1a9b37e1d980d1969c9d33

    • SSDEEP

      384:pPLl4JbDL8XQZW8LN/4pvuBUyHVz0Ad29DtSLKZR2CF/9+8ADu/TyZdEPLe:pPh4yQZW8LNuAUyJl29DtSLKZR2m9+8m

    Score
    1/10
    • Target

      Prism Release/Prism Release V1.5.exe

    • Size

      5.1MB

    • MD5

      ac80f970a7ae1c07663abdd11d752d34

    • SHA1

      5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad

    • SHA256

      b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

    • SHA512

      7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b

    • SSDEEP

      98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      Prism Release/assets.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    • Target

      Prism Release/bin/autoattach.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks