Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
conn.exe
-
Size
28.2MB
-
Sample
250301-2cc8havtgs
-
MD5
9e2fc420e7723106785ae60eed94a535
-
SHA1
ae78659c98a8254bcf9134c5c670eba785a5fc5f
-
SHA256
35940f3f3a12d6d2f30f8c462d714ba11da29115164d55c21127244edc26a3dc
-
SHA512
da2533839b2a9d8f31a1c2e6260cc60c59ca676c7f8aa94cfd6d099d28536120f8ce75eb80faa909e9d0b9463eb6a1d30944f1a9b604f599109840301382a682
-
SSDEEP
786432:Ttu0coshxWHVn6s6b64G71jaoCo1Ha2XykT+utnLI9O:Bu0jyC6Fb6V71JCo1RRVU
Malware Config
Extracted
xworm
5.0
thetest.selfhost.co:1339
hyd6qZsPPsPPgljc
-
Install_directory
%ProgramData%
-
install_file
DirectOutputService.exe
Targets
-
-
Target
conn.exe
-
Size
28.2MB
-
MD5
9e2fc420e7723106785ae60eed94a535
-
SHA1
ae78659c98a8254bcf9134c5c670eba785a5fc5f
-
SHA256
35940f3f3a12d6d2f30f8c462d714ba11da29115164d55c21127244edc26a3dc
-
SHA512
da2533839b2a9d8f31a1c2e6260cc60c59ca676c7f8aa94cfd6d099d28536120f8ce75eb80faa909e9d0b9463eb6a1d30944f1a9b604f599109840301382a682
-
SSDEEP
786432:Ttu0coshxWHVn6s6b64G71jaoCo1Ha2XykT+utnLI9O:Bu0jyC6Fb6V71JCo1RRVU
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1