Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    noratnik.exe

  • Size

    208KB

  • Sample

    240709-kmcahsvfnp

  • MD5

    7923c75699529f65b63ba064c9f512f6

  • SHA1

    f61cece0e51c1119a30e0f05a99dd6e141853388

  • SHA256

    22f802dad03ce14bec556b441955def133bf22dd04e42e247390c418f1c7be4a

  • SHA512

    21a28a417f3d6c43f86cc4d2251eb8712685b6654b27475541f84ea9e8851fa3b3eb48449fa4df6a757753bbfe3d97970b831b1975b01c7104d33bbd70b8e21c

  • SSDEEP

    3072:BmAwnYqFn98ZOua8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLn3:BmxnYsn9nUhcX7elbKTuq9bfF/H9d9n

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

GOBm8p0NnvNTIR9x

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    system.exe

  • pastebin_url

    https://pastebin.com/raw/H3wFXmEi

aes.plain

Targets

    • Target

      noratnik.exe

    • Size

      208KB

    • MD5

      7923c75699529f65b63ba064c9f512f6

    • SHA1

      f61cece0e51c1119a30e0f05a99dd6e141853388

    • SHA256

      22f802dad03ce14bec556b441955def133bf22dd04e42e247390c418f1c7be4a

    • SHA512

      21a28a417f3d6c43f86cc4d2251eb8712685b6654b27475541f84ea9e8851fa3b3eb48449fa4df6a757753bbfe3d97970b831b1975b01c7104d33bbd70b8e21c

    • SSDEEP

      3072:BmAwnYqFn98ZOua8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLn3:BmxnYsn9nUhcX7elbKTuq9bfF/H9d9n

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks