Resubmissions

25-06-2024 13:03

240625-qata6avanq 10

25-06-2024 13:01

240625-p87e1athqp 10

25-06-2024 12:57

240625-p7d23atgqn 10

25-06-2024 12:54

240625-p5krtstfrk 10

25-06-2024 12:45

240625-py935szhpd 10

25-06-2024 12:32

240625-pq3n4ashnk 10

General

  • Target

    Nursultan NextGen Crack.exe

  • Size

    213KB

  • Sample

    240625-py935szhpd

  • MD5

    c249d5324c19769443136eca7c0f5551

  • SHA1

    0bf9b432f1308db8194ed60e0befb91b7e3cddb0

  • SHA256

    e766bc3bd8513eadc0d54e511049f1d35bc5c503aeef6cd38aa500d39d66da11

  • SHA512

    5a6d602aef885c1c601a20ea1f76f7becc6f85e81480130ea85b4298f447253192b70b2490d80ab9f045b776433896648e038f7da8e10c4e81ad6ac048c726fd

  • SSDEEP

    3072:W3uCMUS/OWETIyWNGc2AQPyI0JKeZHPDrf5vzm9jceuCQ2nEt:W3utUZfWp2JUKe1PR72m

Malware Config

Extracted

Family

xworm

C2

seems-poet.gl.at.ply.gg:30996

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    ratka.exe

Targets

    • Target

      Nursultan NextGen Crack.exe

    • Size

      213KB

    • MD5

      c249d5324c19769443136eca7c0f5551

    • SHA1

      0bf9b432f1308db8194ed60e0befb91b7e3cddb0

    • SHA256

      e766bc3bd8513eadc0d54e511049f1d35bc5c503aeef6cd38aa500d39d66da11

    • SHA512

      5a6d602aef885c1c601a20ea1f76f7becc6f85e81480130ea85b4298f447253192b70b2490d80ab9f045b776433896648e038f7da8e10c4e81ad6ac048c726fd

    • SSDEEP

      3072:W3uCMUS/OWETIyWNGc2AQPyI0JKeZHPDrf5vzm9jceuCQ2nEt:W3utUZfWp2JUKe1PR72m

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

JavaScript

1
T1059.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Netsh Helper DLL

1
T1546.007

Accessibility Features

1
T1546.008

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Netsh Helper DLL

1
T1546.007

Accessibility Features

1
T1546.008

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Discovery

Query Registry

7
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Tasks