Overview

overview

10

Static

static

3

GUIสุ�...��.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GUIสุดโหด.exe

  • Size

    1.9MB

  • Sample

    241109-awmgqstcmn

  • MD5

    0065484c8645d1858fc6d542c5cceac7

  • SHA1

    b9e6f410bd59a15c0a89ddb3c06d0ac11ae655f4

  • SHA256

    ad7b3092e0b6abb5a978579bf2ebbcd3abde31e3e62ccf1a7c70fa7584885f34

  • SHA512

    cec0ea7433e3fa967d521f4d0c66e5a71c55c0230bf9764d4dc9f33acbdd463ea2b11592266af9b2e6767968354f12d93a1a53f3d23dc6961961fbb3dda45661

  • SSDEEP

    24576:3VwDp0VIi/j82FYvEsHxmOtX+zDdnLXY0NgBZFHGx:3VI0VIi/KEAac0NgBZF

Score
10/10
xwormdiscoveryevasionpersistenceprivilege_escalationransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

85.203.4.149:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    XClient.exe

Targets

    • Target

      GUIสุดโหด.exe

    • Size

      1.9MB

    • MD5

      0065484c8645d1858fc6d542c5cceac7

    • SHA1

      b9e6f410bd59a15c0a89ddb3c06d0ac11ae655f4

    • SHA256

      ad7b3092e0b6abb5a978579bf2ebbcd3abde31e3e62ccf1a7c70fa7584885f34

    • SHA512

      cec0ea7433e3fa967d521f4d0c66e5a71c55c0230bf9764d4dc9f33acbdd463ea2b11592266af9b2e6767968354f12d93a1a53f3d23dc6961961fbb3dda45661

    • SSDEEP

      24576:3VwDp0VIi/j82FYvEsHxmOtX+zDdnLXY0NgBZFHGx:3VI0VIi/KEAac0NgBZF

    Score
    10/10
    xwormdiscoveryevasionpersistenceprivilege_escalationransomwarerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Network Share Discovery

1
T1135

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks