Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ohwowanigger.exe

  • Size

    70KB

  • Sample

    240821-xbvc6sthkb

  • MD5

    3461e8efc569040d75683831060326b5

  • SHA1

    3b0bc2edd86f70506320dccc5b885dd01c0964c4

  • SHA256

    afb3da161810177f73bca2a65f80c1b7f55e78bc436b9bd39b7068039b16ae10

  • SHA512

    49042f51a7b7c1ad150f3a30d176bba7dc5a0ea696ca762d29fb2724121c9c1e86ccdad4d5c1e618ad33bb43684991c5558a3eb0c9d77717fd9771ac1b97f29f

  • SSDEEP

    1536:J9+NvlbSaw4xra1lZbKG4kw0VKConuiGy6Y9MmOWN4ln5m:j+FcyxrEZbKG4kF+nhOJXm

Malware Config

Extracted

Family

xworm

C2

192.168.1.47:8000

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      ohwowanigger.exe

    • Size

      70KB

    • MD5

      3461e8efc569040d75683831060326b5

    • SHA1

      3b0bc2edd86f70506320dccc5b885dd01c0964c4

    • SHA256

      afb3da161810177f73bca2a65f80c1b7f55e78bc436b9bd39b7068039b16ae10

    • SHA512

      49042f51a7b7c1ad150f3a30d176bba7dc5a0ea696ca762d29fb2724121c9c1e86ccdad4d5c1e618ad33bb43684991c5558a3eb0c9d77717fd9771ac1b97f29f

    • SSDEEP

      1536:J9+NvlbSaw4xra1lZbKG4kw0VKConuiGy6Y9MmOWN4ln5m:j+FcyxrEZbKG4kF+nhOJXm

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks