Overview

overview

10

Static

static

10

Lucid.exe

windows11-21h2-x64

10

key.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lucid.rar

  • Size

    8.3MB

  • Sample

    240522-pelanshf76

  • MD5

    bf1b390ccfdf48e3cf509bf6b7639e30

  • SHA1

    8853f17931d1da5063ec724ff7bb862ce8b4db9b

  • SHA256

    8465778370dda01dab075cb6e9a110106c41a95263ff6e44263a0acfd357753e

  • SHA512

    2ebdb9c4d5613958aea53b308ca9b8363b6983f34c5e741632c13790428158cdd2bb742eae4aaa33ca900c21e8c60cdecc380551b11d2cf3416d0effbefe8867

  • SSDEEP

    196608:pT/UL4o5UP179J9mAk81m/teh5Y68K/4400cry9tkhK+Rv:Fro87H1k8A/tI5Ylk4CWykHv

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

45.83.246.140:30120

Attributes
  • Install_directory

    %AppData%

  • install_file

    runtime.exe

Targets

    • Target

      Lucid.exe

    • Size

      8.4MB

    • MD5

      ac6657f44801b542f717e18665145e5b

    • SHA1

      efbf677cfce4054813fb3004e42e524dbdfa4501

    • SHA256

      e462d3688c61db7516a7ada8fb4a990b77cfdd33f2df7e84005042dfdf74c544

    • SHA512

      3ec5ab2455e249834d2d83b29d14d9105d7dc2fcb93ab84dc0c174317a40eb4adeaa438836579fc0befb1d5605f3aec84e43cf4c91ddf020808aa7e164c4ed3b

    • SSDEEP

      196608:RHUsHahjutr1zWC+vfOccaK3doVo8UdY5:S0a+JgvfFcrEmi5

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1

    • Target

      key.exe

    • Size

      69KB

    • MD5

      a230d428e97911ce6959e1463d781257

    • SHA1

      0946c13059bf98fd3aacefd0b2681a42b95292cd

    • SHA256

      c8e088feb7de05c3852af588c1a440f61d06870a93b07a3c6b7e2c12c9d55b12

    • SHA512

      089f7f6e979729ba037a19510be160d1c407c712fa01614815ce2427ff6c8fe7fa80a2cb673a36611dc37734aba63f7c87832c3848ac9ce011343c0e15b7aa68

    • SSDEEP

      1536:KWEyI4XFyV0UUIRiZAkupj9bIu9uLhQSOIcoFqXgG:KWnIiyVxRiij9bIYYhdOBuqXz

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks