Overview

overview

10

Static

static

3

Prism Release.rar

windows7-x64

3

Prism Release.rar

windows10-2004-x64

3

Prism Rele...ok.dll

windows7-x64

1

Prism Rele...ok.dll

windows10-2004-x64

1

Prism Rele....5.exe

windows7-x64

10

Prism Rele....5.exe

windows10-2004-x64

10

Prism Rele...ts.dll

windows7-x64

1

Prism Rele...ts.dll

windows10-2004-x64

1

Prism Rele...ch.dll

windows7-x64

1

Prism Rele...ch.dll

windows10-2004-x64

1

Prism Rele...ns.txt

windows7-x64

1

Prism Rele...ns.txt

windows10-2004-x64

1

Prism Rele...se.txt

windows7-x64

1

Prism Rele...se.txt

windows10-2004-x64

1

Prism Rele...ts.txt

windows7-x64

1

Prism Rele...ts.txt

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Prism Release.rar

  • Size

    5.0MB

  • Sample

    240615-etxbdaseml

  • MD5

    2457eb120e8fbef34c97cef775362cc9

  • SHA1

    547d2a58c06febe45ba1f0deabdf68b759f40029

  • SHA256

    1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3

  • SHA512

    e9e4ac28364ccb457000f9863ac3b8616b75bed9b52e815d90d6fceff6305c823df06548263555d81758af5f6fc5d3cfde2fed64e3c774075abf2801a181a4fb

  • SSDEEP

    98304:ehIWTfpVs6CcFSLDyaWHWbv93eBBTWWXBmxvWryhangOJnTo5Q9i:ehIWTh26Cc4LGQ7mrBGWSaLZTkQ9i

Score
10/10
xwormexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Targets

    • Target

      Prism Release.rar

    • Size

      5.0MB

    • MD5

      2457eb120e8fbef34c97cef775362cc9

    • SHA1

      547d2a58c06febe45ba1f0deabdf68b759f40029

    • SHA256

      1f4fbb86e1e513b8bed2fa7a011d094e9f4dbb213e7ae8c34693c6f5343442c3

    • SHA512

      e9e4ac28364ccb457000f9863ac3b8616b75bed9b52e815d90d6fceff6305c823df06548263555d81758af5f6fc5d3cfde2fed64e3c774075abf2801a181a4fb

    • SSDEEP

      98304:ehIWTfpVs6CcFSLDyaWHWbv93eBBTWWXBmxvWryhangOJnTo5Q9i:ehIWTh26Cc4LGQ7mrBGWSaLZTkQ9i

    Score
    3/10
    behavioral1behavioral2

    • Target

      Prism Release/ByfronHook.dll

    • Size

      21KB

    • MD5

      4e3e92823caeac1203beaa5a35d6dafc

    • SHA1

      893b591d46c39e817052cd05ec969fea74da4233

    • SHA256

      3811858da4b1f5e7f40d1237d7189ddca3989fa0d7b07e87c538f92975b893d2

    • SHA512

      0490e800f1e5c9b38b6c9b56616290f3a7214179e6d993214e3dd742d44d1d669fe5073b5a121c588c05f3e7c0ec576798236ee94e1a9b37e1d980d1969c9d33

    • SSDEEP

      384:pPLl4JbDL8XQZW8LN/4pvuBUyHVz0Ad29DtSLKZR2CF/9+8ADu/TyZdEPLe:pPh4yQZW8LNuAUyJl29DtSLKZR2m9+8m

    Score
    1/10
    behavioral3behavioral4

    • Target

      Prism Release/Prism Release V1.5.exe

    • Size

      5.1MB

    • MD5

      ac80f970a7ae1c07663abdd11d752d34

    • SHA1

      5ee4c0de86dc91aebb47f3ea6b7e624e861fdfad

    • SHA256

      b61ca7c42fef43547c7892c76a925ec4a846373bfcde20426c913a4390f71001

    • SHA512

      7bd6150976477bec27532e7d7449e8a1ee6997b41359f3b31e2da8db0602f1ac0dfae171d8ebe00a0e18c2c77c7f9e4ed18352f7d8cf76c1cff855166ed6f94b

    • SSDEEP

      98304:crjAG8empOd+SyaREAaOeaD5lWsjvi+ffzwZZHUzItLqbn82rh:3ppcNJQkjvi+ffzwZZJiR1

    Score
    10/10
    xwormexecutionpersistencerattrojanspywarestealer

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

    • Target

      Prism Release/assets.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    behavioral7behavioral8

    • Target

      Prism Release/bin/autoattach.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    behavioral10behavioral9

    • Target

      Prism Release/instructions.txt

    • Size

      350B

    • MD5

      8a23bcac9550c179f65025e505b4ea64

    • SHA1

      d76ad057e81245e93a8934562b7b774643115893

    • SHA256

      1795b27a75858a67a0c93bce21b77d6fd89213079ce4bb8aa09b1cca99be5619

    • SHA512

      1708a67ed3fe59ad052dcb787979be15e91be283a6cd43c289924b2b83b55ade7a92a8e82649cf8ca89d229d66cd21c69b9cf353413df1b967a9cd443239e2bf

    Score
    1/10
    behavioral11behavioral12

    • Target

      Prism Release/license.txt

    • Size

      6KB

    • MD5

      0b09566254b011d989decf0e23a902eb

    • SHA1

      3ae5cd6be73daf418b8deee9c865cf78225838c9

    • SHA256

      a19d58aaab15c4d0019e569d1c073d1b5286fdd37dbeee7a58a7d1ae76045ae1

    • SHA512

      4e22e58f925879306261e5993039e1d84d87f8fecc0f9fdad534da55b6fd22be77e622a4077d8d521f7734e5535f66853d581155987e2f3607e2d386938c218b

    • SSDEEP

      192:uEwjuKsgA4+XYdXjA+okS63vZBCSUziJm:eNs8+QRVxBRU1

    Score
    1/10
    behavioral13behavioral14

    • Target

      Prism Release/workspace/Saved Scripts.txt

    • Size

      26B

    • MD5

      9aab6209b47a96431718754d4bac5bea

    • SHA1

      671ae2fdf7f41befc2b7fb53a3902cd2d2f35b7f

    • SHA256

      d2d792f0d9bdb064f665174877454ea83f32aa0a571d223c062fb2107352481b

    • SHA512

      860afec17d9e2c88df27042ad0b027c9021ce08b737d7cae39585d3398fd6ee551f81fe0f145aed90a30bec15a07d1e0731cce9c5b5db7141a6cedd42a3a1bd1

    Score
    1/10
    behavioral15behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks