Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
thisisarattest.exe
-
Size
60KB
-
Sample
250310-jfjwcaxvhw
-
MD5
2c6f4ffe691f274308bd5006910c1f56
-
SHA1
b9e73b268b3eb224d40970665d32e0738b07a2bb
-
SHA256
ff5b1ec5fb58008e41b2ebab7b5970fd0302e8ad99aee4936a43d2114eefd270
-
SHA512
0367acdba25317f1f647bf061b5b8a0b542b5cb2f211366e4d3af3dcbacc7f0a24ff3142bfe89b60dd0384620c978b52527b442af878684479f3548176848bdb
-
SSDEEP
1536:3jrs9Zwd1hp1SQcq8/WZZbB7HV6B2O+k9f2lE02:T2ZcSI8/WZZbB7zOZ9ult2
Malware Config
Extracted
xworm
116.251.133.7:27572
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Targets
-
-
Target
thisisarattest.exe
-
Size
60KB
-
MD5
2c6f4ffe691f274308bd5006910c1f56
-
SHA1
b9e73b268b3eb224d40970665d32e0738b07a2bb
-
SHA256
ff5b1ec5fb58008e41b2ebab7b5970fd0302e8ad99aee4936a43d2114eefd270
-
SHA512
0367acdba25317f1f647bf061b5b8a0b542b5cb2f211366e4d3af3dcbacc7f0a24ff3142bfe89b60dd0384620c978b52527b442af878684479f3548176848bdb
-
SSDEEP
1536:3jrs9Zwd1hp1SQcq8/WZZbB7HV6B2O+k9f2lE02:T2ZcSI8/WZZbB7zOZ9ult2
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1