Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    MR. OCTOPUS‌‌‌.exe

  • Size

    61.4MB

  • Sample

    241106-kj853syrdk

  • MD5

    16f4e4d66e5fdb5897af37ea7c067df9

  • SHA1

    326468c89d4eeb4127e8db754f8bc738d3e6f3a7

  • SHA256

    41c4884469e65d8a57747a02a5e935d13e05a0c279ff4f9117cb5cbcc65fde73

  • SHA512

    4f81e5d182f8c49e4487b7782e283c2274ec27060b53cd1b56ec4ca8f14c25fb5e50158e7b5df6b3ced0fc6c896a01c63a5a84185349f900150cc89da9c88d06

  • SSDEEP

    1572864:jFtdm5ugJDjavJqMV21ihlX1UZ9d34atoZyVr6aZNz:jFtdm5u0G61KBKZT3Qar6aH

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    smartscreen.exe

  • telegram

    https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Targets

    • Target

      MR. OCTOPUS‌‌‌.exe

    • Size

      61.4MB

    • MD5

      16f4e4d66e5fdb5897af37ea7c067df9

    • SHA1

      326468c89d4eeb4127e8db754f8bc738d3e6f3a7

    • SHA256

      41c4884469e65d8a57747a02a5e935d13e05a0c279ff4f9117cb5cbcc65fde73

    • SHA512

      4f81e5d182f8c49e4487b7782e283c2274ec27060b53cd1b56ec4ca8f14c25fb5e50158e7b5df6b3ced0fc6c896a01c63a5a84185349f900150cc89da9c88d06

    • SSDEEP

      1572864:jFtdm5ugJDjavJqMV21ihlX1UZ9d34atoZyVr6aZNz:jFtdm5u0G61KBKZT3Qar6aH

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks