Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Nutinme.exe

  • Size

    274KB

  • Sample

    240824-cq4vyazhqg

  • MD5

    d4203d29b2e6a217009d7c48406f6deb

  • SHA1

    d65f0c2e2ab8a8b3a28d4ec6b91a7e8cd7168f67

  • SHA256

    7e412d3d7477ac6c9047d42bc2acbda8a2a28b0160d4ba7a6e7e916c640f07ae

  • SHA512

    eeb57f268eb44a2cb423410f3ce0c1466f9e16fd4d5490df4ec547cd2ca1c935f0325cf926c0d064b2854c985d19df3954de5ee14c0248d34d31a35fef559d04

  • SSDEEP

    6144:TVoCgTOlxhtaiXhKKdJNzcgpL999eoBw1AjtrDWRTxe3xj8bO5dDtS:TUiLhBXhKsFjBz9e8trDITxOxj8bO0

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.22:13676

Mutex

9qW8SPljFCsv7jws

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Windows Host Proccess.exe

aes.plain

Targets

    • Target

      Nutinme.exe

    • Size

      274KB

    • MD5

      d4203d29b2e6a217009d7c48406f6deb

    • SHA1

      d65f0c2e2ab8a8b3a28d4ec6b91a7e8cd7168f67

    • SHA256

      7e412d3d7477ac6c9047d42bc2acbda8a2a28b0160d4ba7a6e7e916c640f07ae

    • SHA512

      eeb57f268eb44a2cb423410f3ce0c1466f9e16fd4d5490df4ec547cd2ca1c935f0325cf926c0d064b2854c985d19df3954de5ee14c0248d34d31a35fef559d04

    • SSDEEP

      6144:TVoCgTOlxhtaiXhKKdJNzcgpL999eoBw1AjtrDWRTxe3xj8bO5dDtS:TUiLhBXhKsFjBz9e8trDITxOxj8bO0

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks