Overview

overview

10

Static

static

10

cheat.exe

windows7-x64

10

cheat.exe

windows10-2004-x64

10

dControl.exe

windows7-x64

10

dControl.exe

windows10-2004-x64

7

loader.exe

windows7-x64

10

loader.exe

windows10-2004-x64

10

map.exe

windows7-x64

10

map.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    celexdlol (1).rar

  • Size

    634KB

  • Sample

    240708-kbcf5s1all

  • MD5

    9c502988a3c51eeaec26d08abaedb508

  • SHA1

    030fe0b43920c5293ac5c32eb41280de44743157

  • SHA256

    6e552c8d82a2553ec83fea57d340561834aeac22ae30d6a81692f2eee6651e14

  • SHA512

    3b84bd6a08d06547f180c583f587ee33b88848cd1f846afd0557501c5c486267cde218df5be37c818f5a2b1ccbbbfb391b859f7073bd6f92e2bfc1904f54347b

  • SSDEEP

    12288:Wzcn7EanlQiWtYhmJFSwUBLcQZfgipYedhDYedh0Yedhh:0cn7NlwPUdYQxYQCYQv

Score
10/10
xwormevasionexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

submit-processing.gl.at.ply.gg:54034

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      cheat.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      dControl.exe

    • Size

      447KB

    • MD5

      58008524a6473bdf86c1040a9a9e39c3

    • SHA1

      cb704d2e8df80fd3500a5b817966dc262d80ddb8

    • SHA256

      1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

    • SHA512

      8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

    • SSDEEP

      6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

    Score
    10/10
    evasiontrojanupx

    • Modifies security service

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      loader.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

    • Target

      map.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks