Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XwsadwasClient.exe

  • Size

    41KB

  • Sample

    240713-zaxs1swdlj

  • MD5

    e575f0b2f9ae9fad0708194974763a75

  • SHA1

    2667a29bfbabbf294cf174a974a5697c2169eb97

  • SHA256

    4922578003441503e4c9aa0be3473df1bc15edd756d55413313597da47192226

  • SHA512

    296cf49462fc03391cc0c223e766f3945cc2496a1c342ae8dff4437a527a2169a91dbd0c746bcbe4308f6c742e940135ff9c7b10b90f9d99072ab1d2b7b512d9

  • SSDEEP

    768:3tAMOC0RGU2L7CAr43MxfJF5Pa9p+Ng6iOwhr3/ib7:3/l0RGNvRrNRF49I66iOwdaH

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.19:33365

147.185.221.19:2137:33365

Mutex

tccRidU0e2eHax6f

Attributes
  • Install_directory

    %AppData%

  • install_file

    Wiindows Update.exe

aes.plain

Targets

    • Target

      XwsadwasClient.exe

    • Size

      41KB

    • MD5

      e575f0b2f9ae9fad0708194974763a75

    • SHA1

      2667a29bfbabbf294cf174a974a5697c2169eb97

    • SHA256

      4922578003441503e4c9aa0be3473df1bc15edd756d55413313597da47192226

    • SHA512

      296cf49462fc03391cc0c223e766f3945cc2496a1c342ae8dff4437a527a2169a91dbd0c746bcbe4308f6c742e940135ff9c7b10b90f9d99072ab1d2b7b512d9

    • SSDEEP

      768:3tAMOC0RGU2L7CAr43MxfJF5Pa9p+Ng6iOwhr3/ib7:3/l0RGNvRrNRF49I66iOwdaH

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks