Overview

overview

10

Static

static

3

2c94d9e87a...d4.exe

windows7-x64

10

2c94d9e87a...d4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5b361316509f8f3194eb12dd8b741c6c.bin

  • Size

    148KB

  • Sample

    240608-dk7kbagh85

  • MD5

    7f9640181a0a7aff826c4e393bec51ed

  • SHA1

    a11b48041c089599e4d3484ad61329e7944ab252

  • SHA256

    fa6ee332c304a2000f90cef0468ff5181517ceeecdbd051c79e4e81647894068

  • SHA512

    06fb770a18f1c9cc286d3d9bc7812e326f2e06153d64a07aef1cd6da21fbfb3ea2f6bf1c012f0c4076d04eb5d3e4b6dd487f9800fa198b61fa96d85113c8052a

  • SSDEEP

    3072:Deit7HoQkQ195qp65P4SdX437f8P5zkHr+PpvdGkUY9GFJhOCvRLATl:Deit7HoQj/op65gl37f6+L+PdSFJhvel

Score
10/10
xwormexecutionrattrojan

Malware Config

Targets

    • Target

      2c94d9e87ad5c843048c4a09c3733b1d0326f3b5ce6a40e7b964f45034011dd4.exe

    • Size

      258KB

    • MD5

      5b361316509f8f3194eb12dd8b741c6c

    • SHA1

      e98492f076095a6f323e80277ad55bc0639406aa

    • SHA256

      2c94d9e87ad5c843048c4a09c3733b1d0326f3b5ce6a40e7b964f45034011dd4

    • SHA512

      8b22c6147703bc05f3405db877061d64642a3353661c7893482e9c8c897453e1edde3a39abdcda18ed50c296a520efb1430a2a0a7c1d119de363d72bb360abd0

    • SSDEEP

      3072:OYuJYDyLDXFZ2e5B5E5YojWww/wJobAsQcQbEHBAnpK37nXT8u0C/Q7Lue74tyoO:OwDyLDXFZ95L7oLw/wo/8IiaQ7bg8

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks