Analysis
-
max time kernel
15s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09/11/2024, 08:50
General
-
Target
Loaded GUI SUPER X GODDOM.exe
-
Size
15.8MB
-
MD5
122c870b4666083d8672bc45c79db494
-
SHA1
c8a1b264e6178bb4cf52d022238899036e94574e
-
SHA256
11af9ee8c345dd8c529ac2ec08ac51129531edb0cfd1fa5a580a36c642502163
-
SHA512
23a0c79a6507c001d4d656d44a7784715d28e6c5c9716923e9f384b7875f53501fbab397014c3686486689ea33168773bf69af30c3c01fe7f931a65d29da2833
-
SSDEEP
393216:MNBDE4WXRLTfyXE/rEmkNInlv8K/HSTYwEX9mr4BGk/2uXj:MNJE4Yr+E/rR19xOYwFI+
Malware Config
Extracted
xworm
5.0
client-toilet.gl.at.ply.gg:29921
NvsfH1XO1syyGREn
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loaded GUI SUPER X GODDOM.exe"C:\Users\Admin\AppData\Local\Temp\Loaded GUI SUPER X GODDOM.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Loaded GUI.exe"C:\Users\Admin\AppData\Local\Temp\Loaded GUI.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh winsock reset catalog4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp reset4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh interface ip delete arpcache4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rss=enabled4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global chimney=disabled4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global netdma=enabled4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe"C:\Users\Admin\AppData\Local\Temp\BLACKGODDOM V.2 GOD BY LA.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD52b1bcff698482a45a0d01356ad3e0384
SHA177d106b1495b869600cdfda6afeaec0f75a78634
SHA256a9bd5014b5a6744b0a5c180a3e76ff546a514dcbad8bf2d8c500f903a285424b
SHA512e8b6a729f3b4fc02886aeed232511dc9407a52aae40f01cd2817f8369944b14240bd3edfd573dbdef0d506557f02622148ce4042f6f497c20f1f11af85eeac77
-
Filesize
15.9MB
MD5329f5cfa031ecf0b5eb30624277e6321
SHA1189067b40d2b6b6f0a2e9b3bb509acc01131b15a
SHA2560139146555814ed3ef16e36fb839dd4265cc5cb033a4500f43ef20b48a506675
SHA512f97b6de859076d7ed76e497064c75647ca481377e043dc4172ed0c7d37870efaaf776fffb13b71d5f62b2feb6b6daddaff52b9a1ceb4f50f38ff4c0c72561a22
-
Filesize
8KB
-
Filesize
15.9MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
16.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB