Overview

overview

10

Static

static

3

cmt.exe

windows7-x64

10

cmt.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cmt.exe

  • Size

    8KB

  • Sample

    231207-qa9cdaba97

  • MD5

    dc0d40579447b035d980cf0b8cd7667c

  • SHA1

    c907f983cb27d5caec6c941e0712afcc973487d0

  • SHA256

    36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

  • SHA512

    ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

  • SSDEEP

    96:5g48vbNEbfZlmg9fVFBHDqPkNR0bejUoKKeyDvYKx4YG4qyZQFq+zNt:5ghJufi6tXy20Kj2KeyDQKqYXqMQMY

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

5.182.87.154:7000

Mutex

zOHUDGi83XoNMjdZ

Attributes
  • Install_directory

    %Temp%

  • install_file

    MSruntime.exe

aes.plain

Targets

    • Target

      cmt.exe

    • Size

      8KB

    • MD5

      dc0d40579447b035d980cf0b8cd7667c

    • SHA1

      c907f983cb27d5caec6c941e0712afcc973487d0

    • SHA256

      36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

    • SHA512

      ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

    • SSDEEP

      96:5g48vbNEbfZlmg9fVFBHDqPkNR0bejUoKKeyDvYKx4YG4qyZQFq+zNt:5ghJufi6tXy20Kj2KeyDQKqYXqMQMY

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks