Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    svchost.bat

  • Size

    287KB

  • Sample

    240704-tl758s1dna

  • MD5

    9be1452fccb6a9ca2b3e28b89d0c879e

  • SHA1

    8fe95b338be85b1ceac233a51abf3c59890741a7

  • SHA256

    fa57646f828af97268c76a06db56ef3c7dbc6c87d8b3a49579783b346c1ef6b6

  • SHA512

    f2376350ff5e8b5c405c3e48370a22d140249c77a3c5b69f88e55c87f5f643f501a95f1dcf3e361619562ca4fdefa403caed95cb26bb6250c4a62a270803474f

  • SSDEEP

    6144:eIAZ2ZdcY5dv7vuw8UD2CmmrVKsQ7p/0FD+Q7b7QatJqYS:eIAZWcGv7N8UDa+VK790FqQTQc3S

Malware Config

Extracted

Family

xworm

C2

session-chief.gl.at.ply.gg:36125

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

Targets

    • Target

      svchost.bat

    • Size

      287KB

    • MD5

      9be1452fccb6a9ca2b3e28b89d0c879e

    • SHA1

      8fe95b338be85b1ceac233a51abf3c59890741a7

    • SHA256

      fa57646f828af97268c76a06db56ef3c7dbc6c87d8b3a49579783b346c1ef6b6

    • SHA512

      f2376350ff5e8b5c405c3e48370a22d140249c77a3c5b69f88e55c87f5f643f501a95f1dcf3e361619562ca4fdefa403caed95cb26bb6250c4a62a270803474f

    • SSDEEP

      6144:eIAZ2ZdcY5dv7vuw8UD2CmmrVKsQ7p/0FD+Q7b7QatJqYS:eIAZWcGv7N8UDa+VK790FqQTQc3S

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks