Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Spyroid.exe

  • Size

    87.5MB

  • Sample

    240812-fg6jyswekp

  • MD5

    79c831492a1ed34de3981a4d7d9bbd27

  • SHA1

    5e05779ae69dd6ee50b6e7ecda51dce68395ca9d

  • SHA256

    68efdfdeac91a17294a6ba6bc6add40ac73d7e497ab6db19c5b551312feddadb

  • SHA512

    abb457b98db97721b09f67a922fce90d4a02913659105017ad8d47d14e2e820a8a21ee5f9fafeb2a5387a8c55f8459a7b891bf5bf59908e5f6d6f46ba7300969

  • SSDEEP

    1572864:ScM5s/QINBarKKil516uxmsPw/XfP6nryphJK8fZiLw++Kr1h4BZs/353xgebe5U:SV6FvaMLTxmn/3kek8Bi9r16BZs/3BHf

Malware Config

Extracted

Family

xworm

C2

church-insight.gl.at.ply.gg:54667

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    ntoskrnl.exe

Targets

    • Target

      Spyroid.exe

    • Size

      87.5MB

    • MD5

      79c831492a1ed34de3981a4d7d9bbd27

    • SHA1

      5e05779ae69dd6ee50b6e7ecda51dce68395ca9d

    • SHA256

      68efdfdeac91a17294a6ba6bc6add40ac73d7e497ab6db19c5b551312feddadb

    • SHA512

      abb457b98db97721b09f67a922fce90d4a02913659105017ad8d47d14e2e820a8a21ee5f9fafeb2a5387a8c55f8459a7b891bf5bf59908e5f6d6f46ba7300969

    • SSDEEP

      1572864:ScM5s/QINBarKKil516uxmsPw/XfP6nryphJK8fZiLw++Kr1h4BZs/353xgebe5U:SV6FvaMLTxmn/3kek8Bi9r16BZs/3BHf

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks