Resubmissions

10-08-2024 06:35

240810-hcr7wazajm 10

10-08-2024 06:32

240810-hartbstcme 10

General

  • Target

    Pregnant Spidergwen.PNG.exe

  • Size

    159KB

  • Sample

    240810-hartbstcme

  • MD5

    573662a86adf71a8e3f89a3e78ce2330

  • SHA1

    edba077cbc44df1e81d4cb1b5b7c1a2d71a63a32

  • SHA256

    f5f9b6a5df5b89a5d9957fe2bf7e527ef7867e9f732c7d0162608de964fae4e5

  • SHA512

    9f253f02485ba4f1053e8314ff46547cd26cf9ce4589548690e90e4e25dcf8e5ede468107f252ad45e27d177f4e28359437995ba155c219bcbad09caf466faee

  • SSDEEP

    3072:75K491U+ccf7n8KNlmq1+QIexch+qW9Im9TqH+PSm:7191U+PDFCqtyhTWGm9Tq4

Malware Config

Extracted

Family

xworm

C2

manufacturer-rank.gl.at.ply.gg:60383

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      Pregnant Spidergwen.PNG.exe

    • Size

      159KB

    • MD5

      573662a86adf71a8e3f89a3e78ce2330

    • SHA1

      edba077cbc44df1e81d4cb1b5b7c1a2d71a63a32

    • SHA256

      f5f9b6a5df5b89a5d9957fe2bf7e527ef7867e9f732c7d0162608de964fae4e5

    • SHA512

      9f253f02485ba4f1053e8314ff46547cd26cf9ce4589548690e90e4e25dcf8e5ede468107f252ad45e27d177f4e28359437995ba155c219bcbad09caf466faee

    • SSDEEP

      3072:75K491U+ccf7n8KNlmq1+QIexch+qW9Im9TqH+PSm:7191U+PDFCqtyhTWGm9Tq4

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks