Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    xcvvcxt.exe

  • Size

    71KB

  • Sample

    240825-vrhm7swhqq

  • MD5

    52d2a1a3deaeef7265f59db93f08f6a8

  • SHA1

    f149bd23adbdd98bd1eaf67960d6ea50ad9a6abb

  • SHA256

    40757554eb21a52d4700d04e7247042974e177f13370d799f115be591d16ce63

  • SHA512

    c5013a3bb4ff061c4f0e36ade32dcc86be69dbe28516600597329c0a53c467e2b2300a10196aa88d2ef97a405f9c002a87c5e64503a0242a9ecfe502eb75bc0d

  • SSDEEP

    1536:aDiF2GFihkZNcSKYjUoA6ybueXcMS2+fL6AOOAcdt+RnMX:uiXJZaPYgAybpX3S2+hOOADFMX

Malware Config

Extracted

Family

xworm

C2

reason-scoop.gl.at.ply.gg:16546

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Java Update Scheduler.exe

Targets

    • Target

      xcvvcxt.exe

    • Size

      71KB

    • MD5

      52d2a1a3deaeef7265f59db93f08f6a8

    • SHA1

      f149bd23adbdd98bd1eaf67960d6ea50ad9a6abb

    • SHA256

      40757554eb21a52d4700d04e7247042974e177f13370d799f115be591d16ce63

    • SHA512

      c5013a3bb4ff061c4f0e36ade32dcc86be69dbe28516600597329c0a53c467e2b2300a10196aa88d2ef97a405f9c002a87c5e64503a0242a9ecfe502eb75bc0d

    • SSDEEP

      1536:aDiF2GFihkZNcSKYjUoA6ybueXcMS2+fL6AOOAcdt+RnMX:uiXJZaPYgAybpX3S2+hOOADFMX

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks