Overview

overview

10

Static

static

1

Nanocore.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nanocore.exe

  • Size

    1.5MB

  • Sample

    230324-2jy4jshg69

  • MD5

    18cc0a0c22f147a3e4bf9c55777b4f22

  • SHA1

    f0b3b4fd6287b463055ddd9fe75b528559feaef7

  • SHA256

    1c90851dce5ace39a0926588f0034e99d3bae32dea2578b68bdb1add7c9508e1

  • SHA512

    efc01522d816d7a770c4e7a379caf00b81a43f24db313dcc3cd1ec5c32117dce4b4ebba2f1db210abb6dc659e18b3a74045f584f413dd620e0e83a6dea45b47e

  • SSDEEP

    24576:yKWAN/6zZxEhXMV6ISdu+0TVc4SEltlYKwIPapqBwKYp9cHD2iYUdhwB/QqWJXpF:yhAN/6z3E9MV6ISdulTVcQ0IlYLcHD9v

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

considered-arrest.at.ply.gg:19159

Attributes
  • install_file

    USB.exe

Targets

    • Target

      Nanocore.exe

    • Size

      1.5MB

    • MD5

      18cc0a0c22f147a3e4bf9c55777b4f22

    • SHA1

      f0b3b4fd6287b463055ddd9fe75b528559feaef7

    • SHA256

      1c90851dce5ace39a0926588f0034e99d3bae32dea2578b68bdb1add7c9508e1

    • SHA512

      efc01522d816d7a770c4e7a379caf00b81a43f24db313dcc3cd1ec5c32117dce4b4ebba2f1db210abb6dc659e18b3a74045f584f413dd620e0e83a6dea45b47e

    • SSDEEP

      24576:yKWAN/6zZxEhXMV6ISdu+0TVc4SEltlYKwIPapqBwKYp9cHD2iYUdhwB/QqWJXpF:yhAN/6z3E9MV6ISdulTVcQ0IlYLcHD9v

    Score
    10/10
    xwormpersistencerattrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks