Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

24/08/2024, 17:55

240824-wheevsscrc 10

General

  • Target

    C11Executor23.exe

  • Size

    527KB

  • Sample

    240824-wheevsscrc

  • MD5

    0ffa58adb9ae31cb401b933d52034066

  • SHA1

    310a52338ae3aa6c13ae03243bf4d47941b26731

  • SHA256

    ec67ac05b583618699ce3813ded3f4e6b2e321c6e6714565b1810ffeb0caa361

  • SHA512

    2d8ea7646ca58710110585776a16b558e13568a42f71c56ced6110901e9fdf127f8ca2d2a598675005d6176caf827da6f90791c3b5a11235819f5f5d08e9ef10

  • SSDEEP

    12288:G2TdgrOb9yGtn4yOH05wCU36pw5Htbh9D:GYiro430wH64N19

Malware Config

Targets

    • Target

      C11Executor23.exe

    • Size

      527KB

    • MD5

      0ffa58adb9ae31cb401b933d52034066

    • SHA1

      310a52338ae3aa6c13ae03243bf4d47941b26731

    • SHA256

      ec67ac05b583618699ce3813ded3f4e6b2e321c6e6714565b1810ffeb0caa361

    • SHA512

      2d8ea7646ca58710110585776a16b558e13568a42f71c56ced6110901e9fdf127f8ca2d2a598675005d6176caf827da6f90791c3b5a11235819f5f5d08e9ef10

    • SSDEEP

      12288:G2TdgrOb9yGtn4yOH05wCU36pw5Htbh9D:GYiro430wH64N19

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks