Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Xworm Fixer.bat
-
Size
442KB
-
Sample
240907-tt4g1sseqn
-
MD5
ccf46201786b2facd7b19ea6129944da
-
SHA1
25e51f0e98977de48e111773058cc1b70ced0892
-
SHA256
74cdc51bc00b8f596fb764469b16ec2edb336cf9f151697ff984a5081c3204d6
-
SHA512
43a92ed1caf5a517e4e1506127b96b07c75458701e4d0b0556fc79694866fb27089ed919688c7ff68c7c2a87b51ef2e635d85bfa8a5aa860f132bfb1fbe13675
-
SSDEEP
6144:7iCje5mpo5kEu3ojrKYMwoocilcJohGUMJb0YXZyDC3ntd0FqT/G+PYDKhJaltT7:Xi5mpJEu3mkR4LMxZye3ntqFKFPTjWZ
Malware Config
Extracted
xworm
manufacturer-rank.gl.at.ply.gg:60383
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
Xworm Fixer.bat
-
Size
442KB
-
MD5
ccf46201786b2facd7b19ea6129944da
-
SHA1
25e51f0e98977de48e111773058cc1b70ced0892
-
SHA256
74cdc51bc00b8f596fb764469b16ec2edb336cf9f151697ff984a5081c3204d6
-
SHA512
43a92ed1caf5a517e4e1506127b96b07c75458701e4d0b0556fc79694866fb27089ed919688c7ff68c7c2a87b51ef2e635d85bfa8a5aa860f132bfb1fbe13675
-
SSDEEP
6144:7iCje5mpo5kEu3ojrKYMwoocilcJohGUMJb0YXZyDC3ntd0FqT/G+PYDKhJaltT7:Xi5mpJEu3mkR4LMxZye3ntqFKFPTjWZ
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1