Overview

overview

10

Static

static

3

ME77ZTVpfPe1.exe

windows7-x64

8

ME77ZTVpfPe1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ME77ZTVpfPe1.exe

  • Size

    360KB

  • Sample

    241020-gqk52svcrk

  • MD5

    a0a4c2e4123c895b019404faac31eea5

  • SHA1

    18254b9eda5a7d1bb9505cc46b992709029091c8

  • SHA256

    1c74716aa959672f89ca6a090cf8aee85eee235980f00cf4a1f049b265b4a836

  • SHA512

    3b6f9347cfd753607014147dddd1a60f87a8580f84caba99b72b8b319d1e7b8a52bad76a5d81653fabb083c4a037ed28e4cd4178aecde3a19b1ef419b853709c

  • SSDEEP

    6144:KIrgO6OmMo/f7DGUOodFeq4cH0RfWLN0SMJWW6vtuwFi0QRjZj:F8XGPoDeqnUR+N3fVVxM0QRjZj

Score
10/10
bdaejecxwormaspackv2backdoordiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

K2D8kOjfVfBUprBZ

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/BSSw6HT3

aes.plain

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Targets

    • Target

      ME77ZTVpfPe1.exe

    • Size

      360KB

    • MD5

      a0a4c2e4123c895b019404faac31eea5

    • SHA1

      18254b9eda5a7d1bb9505cc46b992709029091c8

    • SHA256

      1c74716aa959672f89ca6a090cf8aee85eee235980f00cf4a1f049b265b4a836

    • SHA512

      3b6f9347cfd753607014147dddd1a60f87a8580f84caba99b72b8b319d1e7b8a52bad76a5d81653fabb083c4a037ed28e4cd4178aecde3a19b1ef419b853709c

    • SSDEEP

      6144:KIrgO6OmMo/f7DGUOodFeq4cH0RfWLN0SMJWW6vtuwFi0QRjZj:F8XGPoDeqnUR+N3fVVxM0QRjZj

    Score
    10/10
    discoveryexecutionbdaejecxwormaspackv2backdoorpersistencerattrojan

    • Bdaejec

      Bdaejec is a backdoor written in C++.

      backdoorbdaejec

    • Detect Xworm Payload

    • Detects Bdaejec Backdoor.

      Bdaejec is backdoor written in C++.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks