Overview

overview

10

Static

static

3

kiddionsmodmenu.exe

windows10-1703-x64

10

kiddionsmodmenu.exe

windows7-x64

8

kiddionsmodmenu.exe

windows10-2004-x64

10

kiddionsmodmenu.exe

windows11-21h2-x64

10

Resubmissions

14-05-2024 11:22

240514-ngk71sdg28 10

14-05-2024 11:22

240514-ngkw9add6y 10

14-05-2024 11:22

240514-ngklgsdg27 10

14-05-2024 11:22

240514-ngkaqadd6w 10

14-05-2024 11:22

240514-ngjzysdd6v 10

14-05-2024 11:22

240514-ngjn7add6t 10

14-05-2024 11:22

240514-ngh3nadd6s 10

14-05-2024 11:22

240514-ngh3nadg25 10

14-05-2024 11:21

240514-nghrwsdd51 10

14-05-2024 11:21

240514-ngg6csdd5z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    kiddionsmodmenu.exe

  • Size

    386KB

  • Sample

    240514-ngh3nadg25

  • MD5

    88e737816cc5f3e3809152c5f9dad5be

  • SHA1

    56dedf42285c74795f714dbac7782a5d0e695a97

  • SHA256

    6d09d43c755d5081924748104ac487afadaf68add75d85feb2a256de032a5e2c

  • SHA512

    8d29b5606f91b953263738f03188a56a4c981a6213b53a830bd1e3975ff3d10274704df2dda957fa0b73cd8841947d6e850c6046338b8ebe9666ca895ce0eebd

  • SSDEEP

    12288:hFPdfNMz0ECh63X3u+DnSmMk1B+8kxkpTD:hddFMz0EH3X39DnL3PHkxgn

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

94.156.8.167:2020

Mutex

8sPZSP21r8KwS1LM

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      kiddionsmodmenu.exe

    • Size

      386KB

    • MD5

      88e737816cc5f3e3809152c5f9dad5be

    • SHA1

      56dedf42285c74795f714dbac7782a5d0e695a97

    • SHA256

      6d09d43c755d5081924748104ac487afadaf68add75d85feb2a256de032a5e2c

    • SHA512

      8d29b5606f91b953263738f03188a56a4c981a6213b53a830bd1e3975ff3d10274704df2dda957fa0b73cd8841947d6e850c6046338b8ebe9666ca895ce0eebd

    • SSDEEP

      12288:hFPdfNMz0ECh63X3u+DnSmMk1B+8kxkpTD:hddFMz0EH3X39DnL3PHkxgn

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks