Overview

overview

10

Static

static

3

Pregnant S...NG.exe

windows10-1703-x64

10

Resubmissions

10-08-2024 06:35

240810-hcr7wazajm 10

10-08-2024 06:32

240810-hartbstcme 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pregnant Spidergwen.PNG.exe

  • Size

    159KB

  • Sample

    240810-hartbstcme

  • MD5

    573662a86adf71a8e3f89a3e78ce2330

  • SHA1

    edba077cbc44df1e81d4cb1b5b7c1a2d71a63a32

  • SHA256

    f5f9b6a5df5b89a5d9957fe2bf7e527ef7867e9f732c7d0162608de964fae4e5

  • SHA512

    9f253f02485ba4f1053e8314ff46547cd26cf9ce4589548690e90e4e25dcf8e5ede468107f252ad45e27d177f4e28359437995ba155c219bcbad09caf466faee

  • SSDEEP

    3072:75K491U+ccf7n8KNlmq1+QIexch+qW9Im9TqH+PSm:7191U+PDFCqtyhTWGm9Tq4

Score
10/10
xwormevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

manufacturer-rank.gl.at.ply.gg:60383

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      Pregnant Spidergwen.PNG.exe

    • Size

      159KB

    • MD5

      573662a86adf71a8e3f89a3e78ce2330

    • SHA1

      edba077cbc44df1e81d4cb1b5b7c1a2d71a63a32

    • SHA256

      f5f9b6a5df5b89a5d9957fe2bf7e527ef7867e9f732c7d0162608de964fae4e5

    • SHA512

      9f253f02485ba4f1053e8314ff46547cd26cf9ce4589548690e90e4e25dcf8e5ede468107f252ad45e27d177f4e28359437995ba155c219bcbad09caf466faee

    • SSDEEP

      3072:75K491U+ccf7n8KNlmq1+QIexch+qW9Im9TqH+PSm:7191U+PDFCqtyhTWGm9Tq4

    Score
    10/10
    xwormevasionexecutionpersistencerattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • UAC bypass

      evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks