Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
XClient.exe
-
Size
77KB
-
Sample
250301-qlstrs1yg1
-
MD5
1fdd77cb12693ba80efbe8a5463b34b0
-
SHA1
a28daa287556525ef8d54f4244fac761b9be9dc3
-
SHA256
03075f33cfb3ba600a7312a2c6ed5a26dd2e2d210913f70a471f1a120e501891
-
SHA512
e635f719d5e4a3a394ef348e5324c4e407427f00354e0ba9bc7cd25a3e966ecbd045211141a2c3156d1caf4459fd813b772595e74df06426bc9fd884e7e0f7d1
-
SSDEEP
1536:G8XGqHq8FQcOUQKHMC6YhEE+b/dYMYHbaPT+OpsE6dKWOKeexI3Y:G822qMWKsvE+b/SMkbCZmKWOXlY
Malware Config
Extracted
xworm
cause-indexes.gl.at.ply.gg:17210
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
XClient.exe
-
Size
77KB
-
MD5
1fdd77cb12693ba80efbe8a5463b34b0
-
SHA1
a28daa287556525ef8d54f4244fac761b9be9dc3
-
SHA256
03075f33cfb3ba600a7312a2c6ed5a26dd2e2d210913f70a471f1a120e501891
-
SHA512
e635f719d5e4a3a394ef348e5324c4e407427f00354e0ba9bc7cd25a3e966ecbd045211141a2c3156d1caf4459fd813b772595e74df06426bc9fd884e7e0f7d1
-
SSDEEP
1536:G8XGqHq8FQcOUQKHMC6YhEE+b/dYMYHbaPT+OpsE6dKWOKeexI3Y:G822qMWKsvE+b/SMkbCZmKWOXlY
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1