General

  • Target

    combined.exe

  • Size

    11.4MB

  • Sample

    240522-w19zgsbh88

  • MD5

    aaa99d2d8a50c6da60aeb620fb3aa340

  • SHA1

    c734c86f06640c029b6a0521ac59981ac2ad3c9b

  • SHA256

    759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d

  • SHA512

    d2be54052366f209f2dd7f38177585e0c98497d4fec77e0d58722cae57a573f265621fcdc8afb56941d377c61e956acccd6a1368a8b4f9d2c253722d05c2e337

  • SSDEEP

    196608:HojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHLsl+W5djQD4x0:Hork6UDwgYx8V53Rc+SHYlPdjL

Malware Config

Extracted

Family

xworm

C2

engine-romania.gl.at.ply.gg:37581

Attributes
  • Install_directory

    %AppData%

  • install_file

    discord.exe

Targets

    • Target

      combined.exe

    • Size

      11.4MB

    • MD5

      aaa99d2d8a50c6da60aeb620fb3aa340

    • SHA1

      c734c86f06640c029b6a0521ac59981ac2ad3c9b

    • SHA256

      759b9d9aa2deef42f8278715a6ed61a5e3e221681615332c2aa49c4ff8911e3d

    • SHA512

      d2be54052366f209f2dd7f38177585e0c98497d4fec77e0d58722cae57a573f265621fcdc8afb56941d377c61e956acccd6a1368a8b4f9d2c253722d05c2e337

    • SSDEEP

      196608:HojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHLsl+W5djQD4x0:Hork6UDwgYx8V53Rc+SHYlPdjL

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

2
T1562

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Process Discovery

1
T1057

Query Registry

1
T1012

Impact

Service Stop

1
T1489

Tasks