General

  • Target

    src.bat

  • Size

    10.9MB

  • Sample

    240504-efty4ace5z

  • MD5

    0f4fd1c1d7779042723279142a04cb7b

  • SHA1

    0c0ea12510e5347249289664342bf55700e014aa

  • SHA256

    26203b41aadf119e6271db5ca06ae8e29ab6c1853163dc048c85b4e943c7e680

  • SHA512

    e50e417c45d4fcdee499c813916e1e2e17ca63aa60e72b7bfe3726093aca365b97988998e42e0c647088f10d96aa64d065cda48aa6b9a8dfccc6721ab192b4f8

  • SSDEEP

    49152:gum6TKHyL3RIoahdQB8X1pixsrq6beKCVPFnYYgG6eqxAcQ6cHKhU85gpSLfI5uw:+A

Malware Config

Extracted

Family

xworm

C2

continue-silk.gl.at.ply.gg:58347

127.0.0.1:58347

Attributes
  • Install_directory

    %AppData%

  • install_file

    steamwebhelper.exe

Targets

    • Target

      src.bat

    • Size

      10.9MB

    • MD5

      0f4fd1c1d7779042723279142a04cb7b

    • SHA1

      0c0ea12510e5347249289664342bf55700e014aa

    • SHA256

      26203b41aadf119e6271db5ca06ae8e29ab6c1853163dc048c85b4e943c7e680

    • SHA512

      e50e417c45d4fcdee499c813916e1e2e17ca63aa60e72b7bfe3726093aca365b97988998e42e0c647088f10d96aa64d065cda48aa6b9a8dfccc6721ab192b4f8

    • SSDEEP

      49152:gum6TKHyL3RIoahdQB8X1pixsrq6beKCVPFnYYgG6eqxAcQ6cHKhU85gpSLfI5uw:+A

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Impact

Defacement

1
T1491

Tasks