Overview

overview

10

Static

static

3

ISTHG Laun...er.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ISTHG Launcher Fixer.exe

  • Size

    80.7MB

  • Sample

    250304-yw6glsyze1

  • MD5

    36d7b5f683034cb80736471dd06ac521

  • SHA1

    36107f679d0b647d660d151204ed3bcefa4e3bff

  • SHA256

    322ade330c1d135d9a602323523d8d9198bfd60186666bc7b4169d39fce9cf53

  • SHA512

    00f2dfb80960559a21284173dbeb6d21b2c7999e987f47216cdc2629cedb412b747313d7b3dcddbd4644dc777db01db92fc4174540f9080513264749577bbb4d

  • SSDEEP

    1572864:kww/CZRSyW/nc6oOxbbX7++KqmLjrLISInYndP/MgAWvc01pf79R:VGCTSVkHQnX7llSGYndHMgLvxpf

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/kADeGNZE

Targets

    • Target

      ISTHG Launcher Fixer.exe

    • Size

      80.7MB

    • MD5

      36d7b5f683034cb80736471dd06ac521

    • SHA1

      36107f679d0b647d660d151204ed3bcefa4e3bff

    • SHA256

      322ade330c1d135d9a602323523d8d9198bfd60186666bc7b4169d39fce9cf53

    • SHA512

      00f2dfb80960559a21284173dbeb6d21b2c7999e987f47216cdc2629cedb412b747313d7b3dcddbd4644dc777db01db92fc4174540f9080513264749577bbb4d

    • SSDEEP

      1572864:kww/CZRSyW/nc6oOxbbX7++KqmLjrLISInYndP/MgAWvc01pf79R:VGCTSVkHQnX7llSGYndHMgLvxpf

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks