Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
XWorm V5.2.exe
-
Size
215KB
-
Sample
240715-vvrehs1cqq
-
MD5
13e350200a0694496a28d3726f8fe2aa
-
SHA1
5a6353127160e4e183f67c2469ce704de02b6d4c
-
SHA256
3cb75e7dce4867e8e5ef45902b75d981c145055b4e9b06936a44dca96fcb19c5
-
SHA512
02a29f002c705f64b4c999f4934a21d3c7e1bd9cc123ec10366b460b1371b7db5b730fc1e795519e070128ef3c749e7eb53a4d20f48b1d917b4918a083abcbcb
-
SSDEEP
3072:pHyYuG0wbHN2b1GSTOQEYhYiA2ewhLapuvpAsZOyMqmyBeYVYG:dFuGPbHN2bAS2PC/GWGwqqm1
Behavioral task
behavioral1
Sample
XWorm V5.2.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
XWorm V5.2.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
xworm
edition-ages.gl.at.ply.gg:14076
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
XWorm V5.2.exe
-
Size
215KB
-
MD5
13e350200a0694496a28d3726f8fe2aa
-
SHA1
5a6353127160e4e183f67c2469ce704de02b6d4c
-
SHA256
3cb75e7dce4867e8e5ef45902b75d981c145055b4e9b06936a44dca96fcb19c5
-
SHA512
02a29f002c705f64b4c999f4934a21d3c7e1bd9cc123ec10366b460b1371b7db5b730fc1e795519e070128ef3c749e7eb53a4d20f48b1d917b4918a083abcbcb
-
SSDEEP
3072:pHyYuG0wbHN2b1GSTOQEYhYiA2ewhLapuvpAsZOyMqmyBeYVYG:dFuGPbHN2bAS2PC/GWGwqqm1
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1