Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    XWorm V5.2.exe

  • Size

    215KB

  • Sample

    240715-vvrehs1cqq

  • MD5

    13e350200a0694496a28d3726f8fe2aa

  • SHA1

    5a6353127160e4e183f67c2469ce704de02b6d4c

  • SHA256

    3cb75e7dce4867e8e5ef45902b75d981c145055b4e9b06936a44dca96fcb19c5

  • SHA512

    02a29f002c705f64b4c999f4934a21d3c7e1bd9cc123ec10366b460b1371b7db5b730fc1e795519e070128ef3c749e7eb53a4d20f48b1d917b4918a083abcbcb

  • SSDEEP

    3072:pHyYuG0wbHN2b1GSTOQEYhYiA2ewhLapuvpAsZOyMqmyBeYVYG:dFuGPbHN2bAS2PC/GWGwqqm1

Malware Config

Extracted

Family

xworm

C2

edition-ages.gl.at.ply.gg:14076

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      XWorm V5.2.exe

    • Size

      215KB

    • MD5

      13e350200a0694496a28d3726f8fe2aa

    • SHA1

      5a6353127160e4e183f67c2469ce704de02b6d4c

    • SHA256

      3cb75e7dce4867e8e5ef45902b75d981c145055b4e9b06936a44dca96fcb19c5

    • SHA512

      02a29f002c705f64b4c999f4934a21d3c7e1bd9cc123ec10366b460b1371b7db5b730fc1e795519e070128ef3c749e7eb53a4d20f48b1d917b4918a083abcbcb

    • SSDEEP

      3072:pHyYuG0wbHN2b1GSTOQEYhYiA2ewhLapuvpAsZOyMqmyBeYVYG:dFuGPbHN2bAS2PC/GWGwqqm1

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks