Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Spyroid.exe
-
Size
87.5MB
-
Sample
240812-fg6jyswekp
-
MD5
79c831492a1ed34de3981a4d7d9bbd27
-
SHA1
5e05779ae69dd6ee50b6e7ecda51dce68395ca9d
-
SHA256
68efdfdeac91a17294a6ba6bc6add40ac73d7e497ab6db19c5b551312feddadb
-
SHA512
abb457b98db97721b09f67a922fce90d4a02913659105017ad8d47d14e2e820a8a21ee5f9fafeb2a5387a8c55f8459a7b891bf5bf59908e5f6d6f46ba7300969
-
SSDEEP
1572864:ScM5s/QINBarKKil516uxmsPw/XfP6nryphJK8fZiLw++Kr1h4BZs/353xgebe5U:SV6FvaMLTxmn/3kek8Bi9r16BZs/3BHf
Malware Config
Extracted
xworm
church-insight.gl.at.ply.gg:54667
-
Install_directory
%ProgramData%
-
install_file
ntoskrnl.exe
Targets
-
-
Target
Spyroid.exe
-
Size
87.5MB
-
MD5
79c831492a1ed34de3981a4d7d9bbd27
-
SHA1
5e05779ae69dd6ee50b6e7ecda51dce68395ca9d
-
SHA256
68efdfdeac91a17294a6ba6bc6add40ac73d7e497ab6db19c5b551312feddadb
-
SHA512
abb457b98db97721b09f67a922fce90d4a02913659105017ad8d47d14e2e820a8a21ee5f9fafeb2a5387a8c55f8459a7b891bf5bf59908e5f6d6f46ba7300969
-
SSDEEP
1572864:ScM5s/QINBarKKil516uxmsPw/XfP6nryphJK8fZiLw++Kr1h4BZs/353xgebe5U:SV6FvaMLTxmn/3kek8Bi9r16BZs/3BHf
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1