Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    MetaScalpSetup.exe

  • Size

    129.8MB

  • Sample

    240709-fqykpsxdnm

  • MD5

    385b5b76e12c76c169bf7e3f6fa2c317

  • SHA1

    ea281a577b99a5f29d290aca30f4ca67945d7fcc

  • SHA256

    f6eb39b9b49c6ad5904d067c4845dfdd96cdccd4b979fad40af44cdc26992546

  • SHA512

    9c99ca240732a95d4f1d373731179318d839b15286b41945eb465bc6b1c64f502c488811fff91b71137b59a64bcb503a87be93085a7f0509fe95bd77fcaf719c

  • SSDEEP

    3145728:fOdRmy1fMkZCiZQr8iTps95xUJO5wUti1BEn6b8CQQ:2dQECiZQr8Ss94Mxi1gz7

Malware Config

Targets

    • Target

      MetaScalpSetup.exe

    • Size

      129.8MB

    • MD5

      385b5b76e12c76c169bf7e3f6fa2c317

    • SHA1

      ea281a577b99a5f29d290aca30f4ca67945d7fcc

    • SHA256

      f6eb39b9b49c6ad5904d067c4845dfdd96cdccd4b979fad40af44cdc26992546

    • SHA512

      9c99ca240732a95d4f1d373731179318d839b15286b41945eb465bc6b1c64f502c488811fff91b71137b59a64bcb503a87be93085a7f0509fe95bd77fcaf719c

    • SSDEEP

      3145728:fOdRmy1fMkZCiZQr8iTps95xUJO5wUti1BEn6b8CQQ:2dQECiZQr8Ss94Mxi1gz7

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks