Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2052-150-0x000001A9BB0E0000-0x000001A9BB0F0000-memory.dmp

  • Size

    64KB

  • Sample

    241106-tg9s9sslhy

  • MD5

    2e511711556c84a5748e2a3c9508f79d

  • SHA1

    793fd65b8ad3e3ff4d32b2a2a77873cdd2e51d14

  • SHA256

    38933a739032b6ccbe0e7e21c2a3f68b26c87ec8f89e51701899099443affaf8

  • SHA512

    ac49bf92e5ca38a776b2435eb502a8c04334f76a9d76f68e1c78b6d4edee9506959f840808884a71c17e45822e41b167c40de0a1b33caa8a4bed2775cdf274c7

  • SSDEEP

    768:8TaTaHaxVq3LgGHk8qZHkvhxST9BeY0FWPG9tM6TOMh+7It:8TaT4a8gykRhWhx69BehFh9tM6TOMIk

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

6lFXjUqCtT3P20q9

Attributes
  • install_file

    wintousb.exe

aes.plain

Targets

    • Target

      2052-150-0x000001A9BB0E0000-0x000001A9BB0F0000-memory.dmp

    • Size

      64KB

    • MD5

      2e511711556c84a5748e2a3c9508f79d

    • SHA1

      793fd65b8ad3e3ff4d32b2a2a77873cdd2e51d14

    • SHA256

      38933a739032b6ccbe0e7e21c2a3f68b26c87ec8f89e51701899099443affaf8

    • SHA512

      ac49bf92e5ca38a776b2435eb502a8c04334f76a9d76f68e1c78b6d4edee9506959f840808884a71c17e45822e41b167c40de0a1b33caa8a4bed2775cdf274c7

    • SSDEEP

      768:8TaTaHaxVq3LgGHk8qZHkvhxST9BeY0FWPG9tM6TOMh+7It:8TaT4a8gykRhWhx69BehFh9tM6TOMIk

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks