Overview

overview

10

Static

static

3

123.exe

windows7-x64

10

123.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    123.exe

  • Size

    84KB

  • Sample

    240427-ks4xqafg6t

  • MD5

    7c62f15ff5d809dff951f790d82e2467

  • SHA1

    5b1bfa175e653fd1151ffb6507a278691cd866f7

  • SHA256

    feee64c070c62a05724bd2b337eaba9a08d30f8ab97ac07af2f356eb49ef4c91

  • SHA512

    8a97c5d371b7d5bd1e4ff5ba4a6b384fadebfeddf5021b8e0ef39a3999f275992c8bf9e8ec88cfe0670dd989d8f37328def2ea33a6c10f17493bb182539904ee

  • SSDEEP

    1536:OXfDXmRJaspkKzva5heXThX/LkPsj8YK/ia2o7nZ/USH4RTFNTx62/p:2DWLVFzRThvLDy/l/UPLTx3/p

Score
10/10
xwormpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

uk2.localto.net:40515

Attributes
  • Install_directory

    %AppData%

  • install_file

    Google.exe

Targets

    • Target

      123.exe

    • Size

      84KB

    • MD5

      7c62f15ff5d809dff951f790d82e2467

    • SHA1

      5b1bfa175e653fd1151ffb6507a278691cd866f7

    • SHA256

      feee64c070c62a05724bd2b337eaba9a08d30f8ab97ac07af2f356eb49ef4c91

    • SHA512

      8a97c5d371b7d5bd1e4ff5ba4a6b384fadebfeddf5021b8e0ef39a3999f275992c8bf9e8ec88cfe0670dd989d8f37328def2ea33a6c10f17493bb182539904ee

    • SSDEEP

      1536:OXfDXmRJaspkKzva5heXThX/LkPsj8YK/ia2o7nZ/USH4RTFNTx62/p:2DWLVFzRThvLDy/l/UPLTx3/p

    Score
    10/10
    xwormpersistenceransomwarerattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks