Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

XClient.vbs

windows7-x64

3

XClient.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient.vbs

  • Size

    51KB

  • Sample

    240625-wp25haxcrp

  • MD5

    b2d3d950c164eac3905adf7449bbc102

  • SHA1

    bfa01bfaa12aefce0bc8f7468ce788d78623c56d

  • SHA256

    79ba69baace5e2b30cdc18e8ab462692e3337640f52f532743ffb2a52c281694

  • SHA512

    6032364e7b7e107f0813eee20304ec31e65747b10174fba9d703d20c010c8785df515a0789f8e813484ae7d09e972100b2dd08df46dcb0844e9911feddadab74

  • SSDEEP

    1536:daxTfSWi9SkelLyAPh0voJKfI2rygScsddWZrv+Va:0xTfk9reVUvWII2oJdWZT+Va

Score
10/10
xwormexecutionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

modern-educators.gl.at.ply.gg:23695

Mutex

sbhJrC2cDjOcP2gL

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      XClient.vbs

    • Size

      51KB

    • MD5

      b2d3d950c164eac3905adf7449bbc102

    • SHA1

      bfa01bfaa12aefce0bc8f7468ce788d78623c56d

    • SHA256

      79ba69baace5e2b30cdc18e8ab462692e3337640f52f532743ffb2a52c281694

    • SHA512

      6032364e7b7e107f0813eee20304ec31e65747b10174fba9d703d20c010c8785df515a0789f8e813484ae7d09e972100b2dd08df46dcb0844e9911feddadab74

    • SSDEEP

      1536:daxTfSWi9SkelLyAPh0voJKfI2rygScsddWZrv+Va:0xTfk9reVUvWII2oJdWZT+Va

    Score
    10/10
    executionxwormpersistenceransomwarerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks