Overview

overview

10

Static

static

1

Empyrean-Executor.bat

windows7-x64

7

Empyrean-Executor.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Empyrean-Executor.bat

  • Size

    291KB

  • Sample

    240420-bq4phacf85

  • MD5

    b3b18baa9f3a27779f41b4f2465b6f7b

  • SHA1

    612dff548e746bba28bd1f6f6c79d4eac5ffa683

  • SHA256

    dccb78d52b8751e88346a8d71073e0628ac6dcc9bd92bb43ff97add544c3c52f

  • SHA512

    01ad198e89e7ad462f5de3477e47bcc954df54d5b2a16782920c962b6aa9407601ab2d05950a2178c3cdcfb50807775a7cd50ab97b50ef396355b5181de72c64

  • SSDEEP

    6144:g2KLQmfX27kumsXOl9iVtkgo3k5U4gAaJTUT:gbLJz5sXw96kgoUW4gAiTi

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

Secretly512-24905.portmap.host:24905

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    USB.exe

Targets

    • Target

      Empyrean-Executor.bat

    • Size

      291KB

    • MD5

      b3b18baa9f3a27779f41b4f2465b6f7b

    • SHA1

      612dff548e746bba28bd1f6f6c79d4eac5ffa683

    • SHA256

      dccb78d52b8751e88346a8d71073e0628ac6dcc9bd92bb43ff97add544c3c52f

    • SHA512

      01ad198e89e7ad462f5de3477e47bcc954df54d5b2a16782920c962b6aa9407601ab2d05950a2178c3cdcfb50807775a7cd50ab97b50ef396355b5181de72c64

    • SSDEEP

      6144:g2KLQmfX27kumsXOl9iVtkgo3k5U4gAaJTUT:gbLJz5sXw96kgoUW4gAiTi

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks