Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

29/08/2024, 01:09

240829-bh6twswdkf 10

29/08/2024, 01:06

240829-bgdrqawcke 3

General

  • Target

    SynZ.zip

  • Size

    51KB

  • Sample

    240829-bh6twswdkf

  • MD5

    b23eb8982c76332c7da86e438f37e390

  • SHA1

    81552549673b96a88ae76eca202f25df1fae912a

  • SHA256

    829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271

  • SHA512

    93cf779ace6b752395ac006d6feb9459c1caeed51301c3f784fdb7875ce163ac915387b5777f5c87f8b3eddb46ca0842ffbe092995814599a500240e81a5c163

  • SSDEEP

    1536:5lH+sK5umOmSgfPHDj37BlX5adbzIqQo5s5y4RM/r6i6FRLJl:5lXmjLfPtlXSzqoa5YT6NHl

Malware Config

Extracted

Family

xworm

C2

one-qualified.gl.at.ply.gg:61458

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      SynZ.zip

    • Size

      51KB

    • MD5

      b23eb8982c76332c7da86e438f37e390

    • SHA1

      81552549673b96a88ae76eca202f25df1fae912a

    • SHA256

      829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271

    • SHA512

      93cf779ace6b752395ac006d6feb9459c1caeed51301c3f784fdb7875ce163ac915387b5777f5c87f8b3eddb46ca0842ffbe092995814599a500240e81a5c163

    • SSDEEP

      1536:5lH+sK5umOmSgfPHDj37BlX5adbzIqQo5s5y4RM/r6i6FRLJl:5lXmjLfPtlXSzqoa5YT6NHl

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks