Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
SU.exe
-
Size
1.2MB
-
Sample
240913-qzjs1ssfnn
-
MD5
2a64aeb7b7cf578a9ad7be1d385d7be7
-
SHA1
476ebae30ae090a7d3bf9a95284beb3531136915
-
SHA256
aa34e679921b3d50f6f0ace51bb251ce69ccbcbcc8355fa3ca3557c3e278b196
-
SHA512
5bfa25235b47e0276532a21e93d7135ab9938c755d4ca1b7647dd1388ba8ed01b6f986c989bf806a939caff7154c0b36ecf78bf22f19e9b9d834e2381bcdf988
-
SSDEEP
24576:ikGNQ//5PPhGNV4AiaaObfIg8+KUctYM:9GNm/5XhG34AiROTb8+KUct
Static task
static1
Malware Config
Extracted
xworm
5.0
192.168.223.129:4935
luKRH8HypEesQaqn
-
Install_directory
%AppData%
-
install_file
$77.exe
Targets
-
-
Target
SU.exe
-
Size
1.2MB
-
MD5
2a64aeb7b7cf578a9ad7be1d385d7be7
-
SHA1
476ebae30ae090a7d3bf9a95284beb3531136915
-
SHA256
aa34e679921b3d50f6f0ace51bb251ce69ccbcbcc8355fa3ca3557c3e278b196
-
SHA512
5bfa25235b47e0276532a21e93d7135ab9938c755d4ca1b7647dd1388ba8ed01b6f986c989bf806a939caff7154c0b36ecf78bf22f19e9b9d834e2381bcdf988
-
SSDEEP
24576:ikGNQ//5PPhGNV4AiaaObfIg8+KUctYM:9GNm/5XhG34AiROTb8+KUct
-
Detect Xworm Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1