Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
PBVIP6November2024.exe
-
Size
2.4MB
-
Sample
241106-mvdjna1mbn
-
MD5
29b97b3ad71906522b466fce0d9d2f40
-
SHA1
4438df1e9d100e9998b48044b2e00949f35627a7
-
SHA256
7e69dd789bf828531848e658682b78cb0c3f35f4b9f1f64c306edff316c1c434
-
SHA512
06c97e630e3ac8dfb1c0cf94f8e162570ff085876712e132f7c8bd0dd8edeb7ef0bbc08c4a6573fb6206be9fdf18fa7be0a492f2f60e062c58735aeb62f92f99
-
SSDEEP
49152:M7VXW0U6kcdssPuL3JuX9yXUYtUHjNOeIkpPWKZdA:M71B0cWSgsNQUnHjweTwKZdA
Static task
static1
Behavioral task
behavioral1
Sample
PBVIP6November2024.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
193.161.193.99:58389
-
Install_directory
%AppData%
-
install_file
windowssession.exe
Targets
-
-
Target
PBVIP6November2024.exe
-
Size
2.4MB
-
MD5
29b97b3ad71906522b466fce0d9d2f40
-
SHA1
4438df1e9d100e9998b48044b2e00949f35627a7
-
SHA256
7e69dd789bf828531848e658682b78cb0c3f35f4b9f1f64c306edff316c1c434
-
SHA512
06c97e630e3ac8dfb1c0cf94f8e162570ff085876712e132f7c8bd0dd8edeb7ef0bbc08c4a6573fb6206be9fdf18fa7be0a492f2f60e062c58735aeb62f92f99
-
SSDEEP
49152:M7VXW0U6kcdssPuL3JuX9yXUYtUHjNOeIkpPWKZdA:M71B0cWSgsNQUnHjweTwKZdA
-
Detect Xworm Payload
-
Xmrig family
-
Xworm family
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-