Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Zerion(real).exe
-
Size
68KB
-
Sample
241106-t5azvawmaq
-
MD5
c78e30aece1251fbca58c57edaf2a9ac
-
SHA1
d6110e63d2c77b41eb46c0d11fa03d15081bfea4
-
SHA256
9269bb54f5e7e505de0dc0f406c447625e153b0d79e3d553d1b0f5c79ccbfd6b
-
SHA512
26838ca19a3c95c730d20ef1a87a5b0fe1713a0bce3437f31f6c06d163c60f04616a7a006add3aff624a332bd038f28b0e969d441c3c8c3421e14996c65102ba
-
SSDEEP
1536:0QGpw/mylCVbRi+bH5KoEmLd6vPc5OyGayvESuUi:0Qh/mylCVg+bH5+u2COoykh
Malware Config
Extracted
xworm
127.0.0.1:7000
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
Zerion(real).exe
-
Size
68KB
-
MD5
c78e30aece1251fbca58c57edaf2a9ac
-
SHA1
d6110e63d2c77b41eb46c0d11fa03d15081bfea4
-
SHA256
9269bb54f5e7e505de0dc0f406c447625e153b0d79e3d553d1b0f5c79ccbfd6b
-
SHA512
26838ca19a3c95c730d20ef1a87a5b0fe1713a0bce3437f31f6c06d163c60f04616a7a006add3aff624a332bd038f28b0e969d441c3c8c3421e14996c65102ba
-
SSDEEP
1536:0QGpw/mylCVbRi+bH5KoEmLd6vPc5OyGayvESuUi:0Qh/mylCVg+bH5+u2COoykh
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1