Overview

overview

10

Static

static

1

aa.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aa.bat

  • Size

    4KB

  • Sample

    241029-r2xnbsxlgj

  • MD5

    e1bb13079136feb8601656942407d6ac

  • SHA1

    b18016cc87ebab626c3c22f9c46f3cb514e16617

  • SHA256

    cb407460fb1c8e860e77d175ba27f129571c3bc95cece9e3a46e17f11e10a758

  • SHA512

    24f9f3ad23f3c7081a4a3cd9f2d1eb7c2bb9ecafb8fe8165e2254fc789f85e2cecbcd49cc2131cf7fec40ff5a0275249f565bf47ea8361a7f9bf11c28a5f961c

  • SSDEEP

    96:qjx1L/Cb/pcm4jdbEtYhOjhKaAYG02uMjeBZkQRdhJjaaAYAn2uMjeBZkozd6z:q9pqcbEt82hKFYG02XqBZpRfRaFYAn2l

Score
10/10
xwormdiscoveryevasionexecutionexploitpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/54jZmcfW

  • telegram

    https://api.telegram.org/bot7470467235:AAH5xKlgIYdawUGRmIROyBj64e_oY5ROaic/sendMessage?chat_id=1330099235

Targets

    • Target

      aa.bat

    • Size

      4KB

    • MD5

      e1bb13079136feb8601656942407d6ac

    • SHA1

      b18016cc87ebab626c3c22f9c46f3cb514e16617

    • SHA256

      cb407460fb1c8e860e77d175ba27f129571c3bc95cece9e3a46e17f11e10a758

    • SHA512

      24f9f3ad23f3c7081a4a3cd9f2d1eb7c2bb9ecafb8fe8165e2254fc789f85e2cecbcd49cc2131cf7fec40ff5a0275249f565bf47ea8361a7f9bf11c28a5f961c

    • SSDEEP

      96:qjx1L/Cb/pcm4jdbEtYhOjhKaAYG02uMjeBZkQRdhJjaaAYAn2uMjeBZkozd6z:q9pqcbEt82hKFYG02XqBZpRfRaFYAn2l

    Score
    10/10
    xwormdiscoveryevasionexecutionexploitpersistencerattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Possible privilege escalation attempt

      exploit

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Drops startup file

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks