Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000

  • Size

    761KB

  • Sample

    240712-2b89jsshnl

  • MD5

    1b767b2a4f8596b12e1e2306cb3b9939

  • SHA1

    007190828b70f2a72311e603bbb94bcb2e41b1c0

  • SHA256

    d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000

  • SHA512

    cf3bbbfe500fc752eb0d777f44d90d1d245bb5394ada49a26a0ac31d62d331324a2c49f1e14072ec446d5a1acb44e9426868af2898cdfe65effe9092bf1fa6d7

  • SSDEEP

    12288:MSJBQ/xsjApTtnb0TbQxMM90CL7VmADH2eJGCOTJfVXwAfIXZqPtbxZWdezgrrN:MABQ/mjuTt4TbQRjDH2eJQTNqcWOVZK1

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:13576

edition-eat.gl.at.ply.gg:13576

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000

    • Size

      761KB

    • MD5

      1b767b2a4f8596b12e1e2306cb3b9939

    • SHA1

      007190828b70f2a72311e603bbb94bcb2e41b1c0

    • SHA256

      d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000

    • SHA512

      cf3bbbfe500fc752eb0d777f44d90d1d245bb5394ada49a26a0ac31d62d331324a2c49f1e14072ec446d5a1acb44e9426868af2898cdfe65effe9092bf1fa6d7

    • SSDEEP

      12288:MSJBQ/xsjApTtnb0TbQxMM90CL7VmADH2eJGCOTJfVXwAfIXZqPtbxZWdezgrrN:MABQ/mjuTt4TbQRjDH2eJQTNqcWOVZK1

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.