Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

10

https://rewiewe-chek...

windows7-x64

10

https://rewiewe-chek...

windows10-2004-x64

10

https://rewiewe-chek...

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://rewiewe-cheksdin.com/?__cf_chl_tk=0nE7XstTWtNOBCB9IQMqGid8fjmvUaoKVVXpiHS3BWY-1740668179-1.0.1.1-GnzoQ_xYIVs4SLz0xWsEytSBU4JtB_aR79Cj_4.FVW4

  • Sample

    250301-ej8awsyyfx

Score
10/10
xwormbookingdiscoveryexecutionphishingrattrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://x10mrn-point.cfd/58YFQMZ5RYqRrBWD.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.211/a.mp4

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.7.214.211/b.mp4

Extracted

Language
hta
Source
URLs
hta.dropper

https://x10mrn-point.cfd/aFl9hO96KP2qAaSr.html

Extracted

Family

xworm

Version

5.0

C2

185.7.214.211:4444

aes.plain

Extracted

Language
hta
Source
URLs
hta.dropper

https://x10mrn-point.cfd/ie10DeqG41t7HBKs.html

Targets

    • Target

      https://rewiewe-cheksdin.com/?__cf_chl_tk=0nE7XstTWtNOBCB9IQMqGid8fjmvUaoKVVXpiHS3BWY-1740668179-1.0.1.1-GnzoQ_xYIVs4SLz0xWsEytSBU4JtB_aR79Cj_4.FVW4

    Score
    10/10
    discoveryexecutionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks