Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Prism Release.rar
-
Size
5.0MB
-
Sample
240615-qjcprswbjp
-
MD5
2457eb120e8fbef34c97cef775362cc9
-
SHA1
547d2a58c06febe45ba1f0deabdf68b759f40029
-
SHA256
1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3
-
SHA512
e9e4ac28364ccb457000f9863ac3b8616b75bed9b52e815d90d6fceff6305c823df06548263555d81758af5f6fc5d3cfde2fed64e3c774075abf2801a181a4fb
-
SSDEEP
98304:ehIWTfpVs6CcFSLDyaWHWbv93eBBTWWXBmxvWryhangOJnTo5Q9i:ehIWTh26Cc4LGQ7mrBGWSaLZTkQ9i
Static task
static1
Behavioral task
behavioral1
Sample
Prism Release/Prism Release V1.5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Prism Release/Prism Release V1.5.exe
Resource
win11-20240419-en
Malware Config
Extracted
xworm
91.92.241.69:5555
-
Install_directory
%ProgramData%
-
install_file
Windows Runtime.exe
Targets
-
-
Target
Prism Release/Prism Release V1.5.exe
-
Size
5.1MB
-
MD5
ac80f970a7ae1c07663abdd11d752d34
-
SHA1
5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad
-
SHA256
b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001
-
SHA512
7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b
-
SSDEEP
98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-