Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
ohwowanigger.exe
-
Size
70KB
-
Sample
240821-xbvc6sthkb
-
MD5
3461e8efc569040d75683831060326b5
-
SHA1
3b0bc2edd86f70506320dccc5b885dd01c0964c4
-
SHA256
afb3da161810177f73bca2a65f80c1b7f55e78bc436b9bd39b7068039b16ae10
-
SHA512
49042f51a7b7c1ad150f3a30d176bba7dc5a0ea696ca762d29fb2724121c9c1e86ccdad4d5c1e618ad33bb43684991c5558a3eb0c9d77717fd9771ac1b97f29f
-
SSDEEP
1536:J9+NvlbSaw4xra1lZbKG4kw0VKConuiGy6Y9MmOWN4ln5m:j+FcyxrEZbKG4kF+nhOJXm
Malware Config
Extracted
xworm
192.168.1.47:8000
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
ohwowanigger.exe
-
Size
70KB
-
MD5
3461e8efc569040d75683831060326b5
-
SHA1
3b0bc2edd86f70506320dccc5b885dd01c0964c4
-
SHA256
afb3da161810177f73bca2a65f80c1b7f55e78bc436b9bd39b7068039b16ae10
-
SHA512
49042f51a7b7c1ad150f3a30d176bba7dc5a0ea696ca762d29fb2724121c9c1e86ccdad4d5c1e618ad33bb43684991c5558a3eb0c9d77717fd9771ac1b97f29f
-
SSDEEP
1536:J9+NvlbSaw4xra1lZbKG4kw0VKConuiGy6Y9MmOWN4ln5m:j+FcyxrEZbKG4kF+nhOJXm
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1