Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
https://cdn.discordapp.com/attachments/1296491383435296818/1331574935260233778/yes.bat?ex=67921d4c&is=6790cbcc&hm=72c63038324740a7d98f634076c94f75518148e399dec3af1bc10e45781f6f8e&
-
Sample
250122-ms1leatjep
Malware Config
Extracted
xworm
127.0.0.1:23484
searches-jimmy.gl.at.ply.gg:23484
-
install_file
USB.exe
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1296491383435296818/1331574935260233778/yes.bat?ex=67921d4c&is=6790cbcc&hm=72c63038324740a7d98f634076c94f75518148e399dec3af1bc10e45781f6f8e&
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Executes dropped EXE
-
Deobfuscate/Decode Files or Information
Payload decoded via CertUtil.
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Deobfuscate/Decode Files or Information
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
5