Overview

overview

10

Static

static

3

combined.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    combined.exe

  • Size

    11.4MB

  • Sample

    240522-w19zgsbh88

  • MD5

    aaa99d2d8a50c6da60aeb620fb3aa340

  • SHA1

    c734c86f06640c029b6a0521ac59981ac2ad3c9b

  • SHA256

    759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d

  • SHA512

    d2be54052366f209f2dd7f38177585e0c98497d4fec77e0d58722cae57a573f265621fcdc8afb56941d377c61e956acccd6a1368a8b4f9d2c253722d05c2e337

  • SSDEEP

    196608:HojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHLsl+W5djQD4x0:Hork6UDwgYx8V53Rc+SHYlPdjL

Score
10/10
xwormevasionexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

engine-romania.gl.at.ply.gg:37581

Attributes
  • Install_directory

    %AppData%

  • install_file

    discord.exe

Targets

    • Target

      combined.exe

    • Size

      11.4MB

    • MD5

      aaa99d2d8a50c6da60aeb620fb3aa340

    • SHA1

      c734c86f06640c029b6a0521ac59981ac2ad3c9b

    • SHA256

      759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d

    • SHA512

      d2be54052366f209f2dd7f38177585e0c98497d4fec77e0d58722cae57a573f265621fcdc8afb56941d377c61e956acccd6a1368a8b4f9d2c253722d05c2e337

    • SSDEEP

      196608:HojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHLsl+W5djQD4x0:Hork6UDwgYx8V53Rc+SHYlPdjL

    Score
    10/10
    xwormevasionexecutionpersistencerattrojanupx

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Modify Registry

1
T1112

Credential Access

Discovery

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks