Overview

overview

10

Static

static

10

Ro-exec/De...gs.vbs

windows10-2004-x64

1

Ro-exec/defcon.exe

windows10-2004-x64

7

Ro-exec/lo...pd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LzFE9kDPVuOiAHeAkCumoRWhFzAt55DFiHAEX8Z8.zip

  • Size

    535KB

  • Sample

    240421-3m57pscf89

  • MD5

    11e7644c95387c1860ce7e936c749f74

  • SHA1

    a483dfec45aa156c31e5600b88ef043f23fbaaf1

  • SHA256

    8641f88b89c9076ece3ee571baa4b3c93ba3ac3883e90fe5f894dc41e3b7bdc7

  • SHA512

    d9ffbf735346887b7c4922fa6fb5a2c08d73cd8874cca3c36211b87138134ae718ecb16d593e7ca9aceb634ae7655cf61b2fd1d255be5f3b9f580aa072aef0f5

  • SSDEEP

    12288:vogNRCQ0wbQDG8kjVy9KhxHu7G6h4AbKuZYWRApRs3Of/K:NNRKVkMUTHu7puWRas+HK

Score
10/10
xwormpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Public%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/UWpQULMP

Targets

    • Target

      Ro-exec/Defender_Settings.vbs

    • Size

      313B

    • MD5

      b0bf0a477bcca312021177572311e666

    • SHA1

      ea77332d7779938ae8e92ad35d6dea4f4be37a92

    • SHA256

      af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9

    • SHA512

      09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8

    Score
    1/10
    behavioral1

    • Target

      Ro-exec/defcon.exe

    • Size

      447KB

    • MD5

      58008524a6473bdf86c1040a9a9e39c3

    • SHA1

      cb704d2e8df80fd3500a5b817966dc262d80ddb8

    • SHA256

      1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

    • SHA512

      8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

    • SSDEEP

      6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral2

    • Target

      Ro-exec/loader-upd.exe

    • Size

      70KB

    • MD5

      573bd20fc8382d92a7ae9eae51e738e3

    • SHA1

      55006093429df791f27e91a66e5ee63a81382b28

    • SHA256

      09036ffa342f9e5bb1e31a867dcc3b60db011baba8c0d202aff1d33195cbe729

    • SHA512

      d38736acff4128d6ce9ea17ee609ca33a37ac88f2c994cf4caf7f0eb62406a8963c33531b9f3cd020974d892c2751f3a4f67ce13ed6ba6080f97c406ccbb4aca

    • SSDEEP

      1536:PmMfwrNATngx6fPLgD9vYebv2S5NiwWW6N9dOoihkAO:LCmn463UD6ebv242FzOoiSAO

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3

MITRE ATT&CK Enterprise v15

Tasks