Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    nursultan by batchgx.exe

  • Size

    31KB

  • Sample

    240928-y8f3gsxhkc

  • MD5

    e769f83e9296311f3a8499b34819afc3

  • SHA1

    d70fddf8da48795ad84aa4fa75d681a1e2b06b9f

  • SHA256

    f0e916dd6769b273107a1b0ae92099825116083fe3a3e502e5582fac159046a3

  • SHA512

    c4749b93e9b8cff355f3fb79b2855c0558734887c606f8b4ac07b58d590323896d5e97c9e6aea58b7fe6d7f3ea375a6f9ec214fd25a646504693e62aada943ec

  • SSDEEP

    384:RWrVqCDweO/ace/VgFpLJPgwDs2ETIiJ5R+gtFqBLTiZw/WNCvK9IkVuwxOjhf/:ZzT55ePJ5ZFr9RdOjhf/3vY

Malware Config

Extracted

Family

xworm

Version

3.1

C2

budget-compiled.gl.at.ply.gg:61672

Mutex

clIqiypuJSXeSvTO

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      nursultan by batchgx.exe

    • Size

      31KB

    • MD5

      e769f83e9296311f3a8499b34819afc3

    • SHA1

      d70fddf8da48795ad84aa4fa75d681a1e2b06b9f

    • SHA256

      f0e916dd6769b273107a1b0ae92099825116083fe3a3e502e5582fac159046a3

    • SHA512

      c4749b93e9b8cff355f3fb79b2855c0558734887c606f8b4ac07b58d590323896d5e97c9e6aea58b7fe6d7f3ea375a6f9ec214fd25a646504693e62aada943ec

    • SSDEEP

      384:RWrVqCDweO/ace/VgFpLJPgwDs2ETIiJ5R+gtFqBLTiZw/WNCvK9IkVuwxOjhf/:ZzT55ePJ5ZFr9RdOjhf/3vY

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks