Overview

overview

10

Static

static

7

Specter Sc...er.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Specter Screen Grabber.exe

  • Size

    11.0MB

  • Sample

    241201-31amysyldy

  • MD5

    7918234c2953a1ef45480b1224371750

  • SHA1

    ae40e7be6833b2d2cc54eb5f325771def35cb370

  • SHA256

    2daa61ed02cf604312b1d91ba8c161bb31fdff082f849eb4e5c4000d90a40388

  • SHA512

    ed41b069e9fe99159141a294393e8823be8f56e5ea1e89ce0f113e8d7646b9aef4d9aa80941669ff2da95a4c7c1fb378f9a9f5ea58db519e09f7f37ba9615587

  • SSDEEP

    196608:GKWyhmducMnCUkFuRLuId3wpguRMV/DBU9AAwy2efaTqTpXoKIlQqe0Uz/Sr/lHW:GCEQcULPWguRM9FQwFWTpXoK+wSr/lCl

Score
10/10
xwormdiscoveryevasionexecutionpersistenceratthemidatrojan

Malware Config

Extracted

Family

xworm

C2

24.ip.gl.ply.gg:2962

Attributes
  • install_file

    USB.exe

Targets

    • Target

      Specter Screen Grabber.exe

    • Size

      11.0MB

    • MD5

      7918234c2953a1ef45480b1224371750

    • SHA1

      ae40e7be6833b2d2cc54eb5f325771def35cb370

    • SHA256

      2daa61ed02cf604312b1d91ba8c161bb31fdff082f849eb4e5c4000d90a40388

    • SHA512

      ed41b069e9fe99159141a294393e8823be8f56e5ea1e89ce0f113e8d7646b9aef4d9aa80941669ff2da95a4c7c1fb378f9a9f5ea58db519e09f7f37ba9615587

    • SSDEEP

      196608:GKWyhmducMnCUkFuRLuId3wpguRMV/DBU9AAwy2efaTqTpXoKIlQqe0Uz/Sr/lHW:GCEQcULPWguRM9FQwFWTpXoK+wSr/lCl

    Score
    10/10
    xwormdiscoveryevasionexecutionpersistenceratthemidatrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks