Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e336a33c2c6ef1b71897e04f59c5ea00N.exe

  • Size

    91KB

  • Sample

    240725-vdjckswbkc

  • MD5

    e336a33c2c6ef1b71897e04f59c5ea00

  • SHA1

    83de5a95ef7d08493685cd85cf0da0d795ff9dee

  • SHA256

    c957f49c83a072dab5123678effaaad3f542f44de1623e9279b6bcad494ff473

  • SHA512

    81a29f5996077906c2555c0f65b3e5e7e21d3814743142b3705a47f61c3d33559d4a5a17a1e76bf4b9eb06581385f3cefcac802c606f800c090973f457754f91

  • SSDEEP

    1536:uCTvRj/WzQK/d13ZMWHW5xAv9bsRE0hFKVAQnq6iQluyOr5B3l729Ldls:zdaZ/d3M+YQbsOZAyOv3li9Ps

Malware Config

Extracted

Family

xworm

C2

wednesday-secured.gl.at.ply.gg:44769

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot6338125361:AAFHgK-I9epBYaZIY8qosT_ZBDd6uU7zgHc/sendMessage?chat_id=1242905715

Targets

    • Target

      e336a33c2c6ef1b71897e04f59c5ea00N.exe

    • Size

      91KB

    • MD5

      e336a33c2c6ef1b71897e04f59c5ea00

    • SHA1

      83de5a95ef7d08493685cd85cf0da0d795ff9dee

    • SHA256

      c957f49c83a072dab5123678effaaad3f542f44de1623e9279b6bcad494ff473

    • SHA512

      81a29f5996077906c2555c0f65b3e5e7e21d3814743142b3705a47f61c3d33559d4a5a17a1e76bf4b9eb06581385f3cefcac802c606f800c090973f457754f91

    • SSDEEP

      1536:uCTvRj/WzQK/d13ZMWHW5xAv9bsRE0hFKVAQnq6iQluyOr5B3l729Ldls:zdaZ/d3M+YQbsOZAyOv3li9Ps

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks