Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Setup.exe

  • Size

    296KB

  • Sample

    240727-zxcrcsyfrn

  • MD5

    4fbc8b878d44721f4f838334ac218ca3

  • SHA1

    ab1bbbc858c32c512f3670db42da607ff8f5d797

  • SHA256

    9bed2d09b228519b7b0d423d96e05d45193b88f9669b3d7373ce92b8466ce072

  • SHA512

    804ece432385d03e546d247afa9f60722458262461e669792f24bf23704779b241c2562792aeec0cf7d450d61a967515e712704f33ede2814004d97cc3adde89

  • SSDEEP

    3072:B9UoZkSvCRLTcda4bl7gWz3vW/XhQMg2t6tqnJr:Be8kCCRLTcs4blxvWvhDGq

Malware Config

Extracted

Family

xworm

C2

Valdemar-62425.portmap.host:62425

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WinSysUpdater32.exe

Targets

    • Target

      Setup.exe

    • Size

      296KB

    • MD5

      4fbc8b878d44721f4f838334ac218ca3

    • SHA1

      ab1bbbc858c32c512f3670db42da607ff8f5d797

    • SHA256

      9bed2d09b228519b7b0d423d96e05d45193b88f9669b3d7373ce92b8466ce072

    • SHA512

      804ece432385d03e546d247afa9f60722458262461e669792f24bf23704779b241c2562792aeec0cf7d450d61a967515e712704f33ede2814004d97cc3adde89

    • SSDEEP

      3072:B9UoZkSvCRLTcda4bl7gWz3vW/XhQMg2t6tqnJr:Be8kCCRLTcs4blxvWvhDGq

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks