Overview

overview

10

Static

static

3

Prism Rele...ok.dll

windows11-21h2-x64

1

Prism Rele....6.exe

windows11-21h2-x64

10

Prism Rele...ts.dll

windows11-21h2-x64

1

Prism Rele...ch.dll

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Prism Release.rar

  • Size

    5.0MB

  • Sample

    240614-16dwfssapp

  • MD5

    cf4175a87968d52a248920d0e535f99f

  • SHA1

    d8643a03396a68b649bf91190f9abdaa4b0d8299

  • SHA256

    44620d19260c789de580e65e07e1464a4abbbeccf1ddda2256b6b1a4ab6a82d1

  • SHA512

    b5dc7093ae8eba11974965b901bdbe5fd059c308fb6f8d1649ec2929f3d909d8492862055e55a019c38b08600a99d85377c73581052f5f5a02f626d9a86f37bd

  • SSDEEP

    98304:/cw4O8ABxHjBgsopAPUnV9BCJVI2ne5fKOksq5wE2UqgKS:UG8sxVgsUAsnVvye5yOGRF

Score
10/10
xmrigxwormevasionexecutionminerpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Targets

    • Target

      Prism Release/ByfronHook.dll

    • Size

      21KB

    • MD5

      4e3e92823caeac1203beaa5a35d6dafc

    • SHA1

      893b591d46c39e817052cd05ec969fea74da4233

    • SHA256

      3811858da4b1f5e7f40d1237d7189ddca3989fa0d7b07e87c538f92975b893d2

    • SHA512

      0490e800f1e5c9b38b6c9b56616290f3a7214179e6d993214e3dd742d44d1d669fe5073b5a121c588c05f3e7c0ec576798236ee94e1a9b37e1d980d1969c9d33

    • SSDEEP

      384:pPLl4JbDL8XQZW8LN/4pvuBUyHVz0Ad29DtSLKZR2CF/9+8ADu/TyZdEPLe:pPh4yQZW8LNuAUyJl29DtSLKZR2m9+8m

    Score
    1/10
    behavioral1

    • Target

      Prism Release/Prism Release V1.6.exe

    • Size

      5.1MB

    • MD5

      29056c6bb64b495974bfff8fdfd126dd

    • SHA1

      0e6e6cb010b35fc8e48b5b3664b85beb07c06e34

    • SHA256

      cee9d4132e0c5f98b5d84099c9f4a080b35e436174be8e5a59df1e8c7cae8fbd

    • SHA512

      c5afea872ba62ed246a54f71b351791109d294752f7c69eb58b867fce696b9c4ecd9f9481f28677dc6c2ea68ea2cacbb302ef8183aaa91dd2fee05a7d70b602a

    • SSDEEP

      98304:Dg4vUzghgparV16jIdGpD9Ii62SYRieom2/QzJgfODDm/RM:c4vFSApojIdGphd62aXizfDe

    Score
    10/10
    xmrigxwormevasionexecutionminerpersistencerattrojanupx

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      Prism Release/assets.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    behavioral3

    • Target

      Prism Release/bin/autoattach.dll

    • Size

      21KB

    • MD5

      4e3e92823caeac1203beaa5a35d6dafc

    • SHA1

      893b591d46c39e817052cd05ec969fea74da4233

    • SHA256

      3811858da4b1f5e7f40d1237d7189ddca3989fa0d7b07e87c538f92975b893d2

    • SHA512

      0490e800f1e5c9b38b6c9b56616290f3a7214179e6d993214e3dd742d44d1d669fe5073b5a121c588c05f3e7c0ec576798236ee94e1a9b37e1d980d1969c9d33

    • SSDEEP

      384:pPLl4JbDL8XQZW8LN/4pvuBUyHVz0Ad29DtSLKZR2CF/9+8ADu/TyZdEPLe:pPh4yQZW8LNuAUyJl29DtSLKZR2m9+8m

    Score
    1/10
    behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks