Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    dwdadwawa.exe

  • Size

    63KB

  • Sample

    240724-gttlla1frm

  • MD5

    7bb9d6edfd29f0b72b7c628b9fab2a3e

  • SHA1

    f603ce6c91c1314c4af009792cfa725ce953e906

  • SHA256

    d35f477971442252b444638b427427ad2bca84f4991b1e1f6285cc00152b7701

  • SHA512

    38403a5e83716f3a98ff48653535a3599faa221c9dbfe9cf858b776975d4a8e73632e212e128fb6c6f73eb99f31a1f4e83696705df2fac72e2bbb179f701725d

  • SSDEEP

    1536:ZYWnc4BSrIN5GMAFg6iu80+wcGr6bg9+UEPPArfh96GBo4AOnr5z:Z4aZAFg6FC5E6bg9+ZI/oOnr5z

Malware Config

Extracted

Family

xworm

C2

main-although.gl.at.ply.gg:30970

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      dwdadwawa.exe

    • Size

      63KB

    • MD5

      7bb9d6edfd29f0b72b7c628b9fab2a3e

    • SHA1

      f603ce6c91c1314c4af009792cfa725ce953e906

    • SHA256

      d35f477971442252b444638b427427ad2bca84f4991b1e1f6285cc00152b7701

    • SHA512

      38403a5e83716f3a98ff48653535a3599faa221c9dbfe9cf858b776975d4a8e73632e212e128fb6c6f73eb99f31a1f4e83696705df2fac72e2bbb179f701725d

    • SSDEEP

      1536:ZYWnc4BSrIN5GMAFg6iu80+wcGr6bg9+UEPPArfh96GBo4AOnr5z:Z4aZAFg6FC5E6bg9+ZI/oOnr5z

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks