Resubmissions
23-07-2024 16:29
240723-tzcw9ayfrn 1023-07-2024 16:26
240723-txm97s1hnf 1023-07-2024 16:20
240723-ts2l2a1gjh 1023-07-2024 16:15
240723-tqjnfa1fmc 1023-07-2024 16:11
240723-tmz61s1ena 1023-07-2024 15:54
240723-tclwms1blb 1023-07-2024 15:48
240723-s8v9hsxfmr 1023-07-2024 15:45
240723-s683lazhmg 1023-07-2024 15:10
240723-skb6qsyhnf 1023-07-2024 14:52
240723-r841zswapq 10General
-
Target
писька чит.exe
-
Size
71KB
-
Sample
240723-s8v9hsxfmr
-
MD5
ed3794861ddc34b4748ff8081e80cb2b
-
SHA1
e63cf084552f0c2803de0109e3d2fcd3102c4738
-
SHA256
6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
-
SHA512
df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
-
SSDEEP
1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54
Behavioral task
behavioral1
Sample
писька чит.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
писька чит.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
xworm
main-although.gl.at.ply.gg:30970
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
писька чит.exe
-
Size
71KB
-
MD5
ed3794861ddc34b4748ff8081e80cb2b
-
SHA1
e63cf084552f0c2803de0109e3d2fcd3102c4738
-
SHA256
6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
-
SHA512
df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
-
SSDEEP
1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54
-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Detect Xworm Payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies powershell logging option
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
9Software Discovery
1Security Software Discovery
1System Information Discovery
9System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1