Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Zerion(real).exe

  • Size

    68KB

  • Sample

    241106-t5azvawmaq

  • MD5

    c78e30aece1251fbca58c57edaf2a9ac

  • SHA1

    d6110e63d2c77b41eb46c0d11fa03d15081bfea4

  • SHA256

    9269bb54f5e7e505de0dc0f406c447625e153b0d79e3d553d1b0f5c79ccbfd6b

  • SHA512

    26838ca19a3c95c730d20ef1a87a5b0fe1713a0bce3437f31f6c06d163c60f04616a7a006add3aff624a332bd038f28b0e969d441c3c8c3421e14996c65102ba

  • SSDEEP

    1536:0QGpw/mylCVbRi+bH5KoEmLd6vPc5OyGayvESuUi:0Qh/mylCVg+bH5+u2COoykh

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      Zerion(real).exe

    • Size

      68KB

    • MD5

      c78e30aece1251fbca58c57edaf2a9ac

    • SHA1

      d6110e63d2c77b41eb46c0d11fa03d15081bfea4

    • SHA256

      9269bb54f5e7e505de0dc0f406c447625e153b0d79e3d553d1b0f5c79ccbfd6b

    • SHA512

      26838ca19a3c95c730d20ef1a87a5b0fe1713a0bce3437f31f6c06d163c60f04616a7a006add3aff624a332bd038f28b0e969d441c3c8c3421e14996c65102ba

    • SSDEEP

      1536:0QGpw/mylCVbRi+bH5KoEmLd6vPc5OyGayvESuUi:0Qh/mylCVg+bH5+u2COoykh

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks