Overview

overview

10

Static

static

3

ForceAdmin.exe

windows7-x64

1

ForceAdmin.exe

windows10-2004-x64

1

New Text Document.ps1

windows7-x64

8

New Text Document.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.zip

  • Size

    302KB

  • Sample

    241118-sw6jqayqhv

  • MD5

    80ae521089e5a975a2849a38dea66c7f

  • SHA1

    9732e4fcbb5fe04ff6ff3f0a517b55e1da9d86fd

  • SHA256

    cdcc31a5e04ae4bf0873bd78a29b69991e3632ec182d4b3ca328bf8071400628

  • SHA512

    510d68106f339d9da862bcc87a7575598e3a35b16f912872fd8b61e410862902411cd74a29173e76d079ca09d134106a1a5a0eb2140ee3d43a483c1cf9e26d41

  • SSDEEP

    6144:KqXFIbKXyoc5NwK9RscAVGwNvb/Trn6yj14y0nj7IUto8u9iEOv7J1B47m7oQo:K0FZcfweRscbwN7TrnV1Ij7f1YiEOVL4

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/L3Xphr0J:201770

Attributes
  • install_file

    Prefetch Manager.exe

  • pastebin_url

    https://pastebin.com/raw/L3Xphr0J

Targets

    • Target

      ForceAdmin.exe

    • Size

      309KB

    • MD5

      14938582caf4bbc6b2af665ca31fd60c

    • SHA1

      289a2d81be847f58051891bf58b9699acd124874

    • SHA256

      75eacbca3054af7502185379ce007e6dafb968dee4a29a0b17b2890aa12ebdc7

    • SHA512

      3e40a71ab736e0156c2d1f18abb3b3b54314df0985041dd2a900e753b154c083340121a4c2a3d8820f73f608a21958dff71c73379509e08afecc2ac9388f5414

    • SSDEEP

      6144:DX3IbK3TbvRsOANGkNPb/T+H6yjB4y1J3+C3L0ZOl7J5J4xm7o8Hy:T35RsOdkNbT+HVBRJ3+C3YZOfr2m7PHy

    Score
    1/10
    behavioral1behavioral2

    • Target

      New Text Document.txt

    • Size

      222B

    • MD5

      63029dc164817834daff27ac138a6110

    • SHA1

      4ef3ef55421240d5232c1bad039ae6098ac17067

    • SHA256

      ca18d4af4b98324369c6237d2e13d33f76a12cb4761c9d29ada553f67f38f98e

    • SHA512

      fce9a92796b7a507186c902f1cc9bbac58a18f8cfa07f67638c8215f4f4183d17937bfeb003bc8cb4cb894cc8ba557efb023d91f7e492e64afde895daaf4dcae

    Score
    10/10
    executionxwormrattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks