Overview

overview

10

Static

static

10

fe8b320087...11.exe

windows7-x64

10

fe8b320087...11.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e46d80f1b4a81c1aaafdda010b0db0eca9c0957a1a3990671d583247d33371ff

  • Size

    16KB

  • Sample

    240419-t3527shc73

  • MD5

    c3820a85f18413b82d3f0fa5992d2d5b

  • SHA1

    f2c0d39519bc1c5396476b76d4e7b23f5476253f

  • SHA256

    e46d80f1b4a81c1aaafdda010b0db0eca9c0957a1a3990671d583247d33371ff

  • SHA512

    d1843399af8cf8e08d644eee8f7bd36ec9fe5449f234e619b9d1529c282bfaccaac3b4808f12f7b34d00b937b174c480a6e73af0331261f3848e40eceaeb3626

  • SSDEEP

    384:TX5o2P4X1U8FMePOr+VZGVubTEQ7gvEwGDJ/1jrTZu5:TX5nWXRAIUOTEDvEZhtx2

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

dzn.ddns.net:5552

Mutex

mT1l25650AkcpwGy

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11.exe

    • Size

      34KB

    • MD5

      b1277c96cd2cabd50382318e95179713

    • SHA1

      5da077cec493cfee0d9ec1905d9882efa8a8d284

    • SHA256

      fe8b320087553eaee75439ab0c4c523a67687c5cb70763bcf042bcfabb205f11

    • SHA512

      4d28ed36ce3d3bbc6d96e4ed76e95604edd10a2eabf60001dcaf611269358e70bebe71a6d2ebfa2a747c3e2feac9e8f3c2f913b3fabdaab2b327c4f46bafd36e

    • SSDEEP

      768:/pabA1ZUxNkLACVVickNVFy19JR6aO/hnt:fn2Nk8hcAF49JR6aO/v

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks