Overview

overview

10

Static

static

1

sticking-o...er.mp3

windows11-21h2-x64

10

Resubmissions

02-09-2024 19:47

240902-yhtwnawbqm 8

02-09-2024 19:44

240902-yf71haxbmd 6

02-09-2024 16:42

240902-t7z2ravemf 6

02-09-2024 04:27

240902-e28pda1gjm 6

02-09-2024 04:25

240902-e2agks1fqp 6

02-09-2024 04:23

240902-ez6f8ssepa 6

02-09-2024 04:20

240902-eydd3asela 6

24-08-2024 02:54

240824-dd53xashql 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sticking-out-your-gyatt-for-the-rizzler.mp3

  • Size

    175KB

  • Sample

    240824-dd53xashql

  • MD5

    27b535b4401ff51e152ef5f6fdaa2b5c

  • SHA1

    eec3bba56eae9ff73d527c3638f3515d1c60da9b

  • SHA256

    1381fa3fc79389ad8e9c2f4acffda477c4b5c6e45a07fec9de523de30ee9efa8

  • SHA512

    9e322aef6c0c41f16fd0e101b89766032240570addba1a3be77b48207bc60c50a9ec3fbe82da9925d8d878ef111b625e629c05ee3dc23e30df10f8c523c8515e

  • SSDEEP

    3072:nU/Sk+yOMHjhLbJdTJ/ffFFxEuy1hqFXNQlPgoTzS+GpQE4pCUW4hkFTMRsHeV8L:nUK1yTdLbJrXPxEuy1jFJkpaxBV6

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

next-screening.at.ply.gg:48590

Attributes
  • Install_directory

    %AppData%

  • install_file

    chrome.exe

Targets

    • Target

      sticking-out-your-gyatt-for-the-rizzler.mp3

    • Size

      175KB

    • MD5

      27b535b4401ff51e152ef5f6fdaa2b5c

    • SHA1

      eec3bba56eae9ff73d527c3638f3515d1c60da9b

    • SHA256

      1381fa3fc79389ad8e9c2f4acffda477c4b5c6e45a07fec9de523de30ee9efa8

    • SHA512

      9e322aef6c0c41f16fd0e101b89766032240570addba1a3be77b48207bc60c50a9ec3fbe82da9925d8d878ef111b625e629c05ee3dc23e30df10f8c523c8515e

    • SSDEEP

      3072:nU/Sk+yOMHjhLbJdTJ/ffFFxEuy1hqFXNQlPgoTzS+GpQE4pCUW4hkFTMRsHeV8L:nUK1yTdLbJrXPxEuy1jFJkpaxBV6

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks