Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
xcvvcxt.exe
-
Size
71KB
-
Sample
240825-vrhm7swhqq
-
MD5
52d2a1a3deaeef7265f59db93f08f6a8
-
SHA1
f149bd23adbdd98bd1eaf67960d6ea50ad9a6abb
-
SHA256
40757554eb21a52d4700d04e7247042974e177f13370d799f115be591d16ce63
-
SHA512
c5013a3bb4ff061c4f0e36ade32dcc86be69dbe28516600597329c0a53c467e2b2300a10196aa88d2ef97a405f9c002a87c5e64503a0242a9ecfe502eb75bc0d
-
SSDEEP
1536:aDiF2GFihkZNcSKYjUoA6ybueXcMS2+fL6AOOAcdt+RnMX:uiXJZaPYgAybpX3S2+hOOADFMX
Malware Config
Extracted
xworm
reason-scoop.gl.at.ply.gg:16546
-
Install_directory
%LocalAppData%
-
install_file
Java Update Scheduler.exe
Targets
-
-
Target
xcvvcxt.exe
-
Size
71KB
-
MD5
52d2a1a3deaeef7265f59db93f08f6a8
-
SHA1
f149bd23adbdd98bd1eaf67960d6ea50ad9a6abb
-
SHA256
40757554eb21a52d4700d04e7247042974e177f13370d799f115be591d16ce63
-
SHA512
c5013a3bb4ff061c4f0e36ade32dcc86be69dbe28516600597329c0a53c467e2b2300a10196aa88d2ef97a405f9c002a87c5e64503a0242a9ecfe502eb75bc0d
-
SSDEEP
1536:aDiF2GFihkZNcSKYjUoA6ybueXcMS2+fL6AOOAcdt+RnMX:uiXJZaPYgAybpX3S2+hOOADFMX
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1