Resubmissions

23/09/2023, 06:20

230923-g3294afc74 6

22/09/2023, 09:24

230922-ldawrshb83 10

21/09/2023, 15:40

230921-s4gwbsha8z 4

19/09/2023, 16:03

230919-thpvgscc79 1

19/09/2023, 13:37

230919-qw5w3shc6s 10

19/09/2023, 13:25

230919-qn8yrsbc63 10

13/09/2023, 11:47

230913-nx8m9aeb62 4

12/09/2023, 19:11

230912-xv98qshf86 10

12/09/2023, 19:03

230912-xqr7cshf46 10

12/09/2023, 11:47

230912-nybd5sca41 1

General

  • Target

    https://google.com

  • Sample

    230909-nabp1aag21

Malware Config

Extracted

Family

xworm

C2

ready-somalia.at.ply.gg:27401

place-viewed.gl.at.ply.gg:34134

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      https://google.com

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Detected potential entity reuse from brand microsoft.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks