Overview

overview

10

Static

static

10

Ro-exec/De...gs.vbs

windows10-2004-x64

1

Ro-exec/defcon.exe

windows10-2004-x64

7

Ro-exec/loader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nZUHcRav9ZMb38xbORpZwfcSyJYcoRNGQyALUnVr.zip

  • Size

    538KB

  • Sample

    240413-qkxfkadf98

  • MD5

    a98620d631027960f016e3e243340228

  • SHA1

    ec8a6cf0926d05ef4aeb71eac7fb5aedf68211f3

  • SHA256

    25065c211e05d389663fc109ba4a6a2d1b87eaf5de07a6fca4d7de1cfb3ae5a2

  • SHA512

    c513daac5c8a6e4c91989290502d511045e45b8a3a24284d2eb961468149629a68fa4b85770b96ab816e12a02c2d4ec7425fb48e8ce8664a66b0902785cacc88

  • SSDEEP

    12288:wogNRCQ0wbQDG8kjVy9KhxHu7G6h4AbKuZYWRi4VHhSR:QNRKVkMUTHu7puWRZVBSR

Score
10/10
xwormpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    NVIDIAFrameview.exe

  • pastebin_url

    https://pastebin.com/raw/UWpQULMP

Targets

    • Target

      Ro-exec/Defender_Settings.vbs

    • Size

      313B

    • MD5

      b0bf0a477bcca312021177572311e666

    • SHA1

      ea77332d7779938ae8e92ad35d6dea4f4be37a92

    • SHA256

      af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9

    • SHA512

      09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8

    Score
    1/10
    behavioral1

    • Target

      Ro-exec/defcon.exe

    • Size

      447KB

    • MD5

      58008524a6473bdf86c1040a9a9e39c3

    • SHA1

      cb704d2e8df80fd3500a5b817966dc262d80ddb8

    • SHA256

      1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

    • SHA512

      8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

    • SSDEEP

      6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral2

    • Target

      Ro-exec/loader.exe

    • Size

      72KB

    • MD5

      5b7d9b25c07cfa6221c9814d1a0bff6d

    • SHA1

      ba045627fd22184b26af329361112eb23dc73c64

    • SHA256

      241b2b0a9a5007860f27507bfdeb5be3c427f42eaf00f49ef6d8b43ca99eb89d

    • SHA512

      1fc32109dd9ce6358dd8db8321875d0bd6beebc44ec0869ebbbfcdf600ed9391738f31045255ba190a6501519f4259c22188f145c58cafa86ab858b9e9f10114

    • SSDEEP

      1536:e7h6H0wE+uyryCxD+fen9bHl6gZnfsd6oz7OFPKZGNQ:e7W0X+uyzD+U9bHYR7OFCyQ

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3

MITRE ATT&CK Enterprise v15

Tasks