Overview

overview

10

Static

static

10

KeyGen.exe

windows7-x64

10

KeyGen.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KeyGen.exe

  • Size

    71KB

  • Sample

    250306-asktqstpy5

  • MD5

    7addd5b9c97fa34625567991ad42a6b0

  • SHA1

    305a6af73234cb5d7c4fab4ecb35751af2977a8c

  • SHA256

    35b6f516e20f2d01dd638055decb824ee2d83d23d7d01fe010d92f22a0e38911

  • SHA512

    aca3379e929a38f61a3e096f74618fe761d2f0723d36f0e2bd2eb37f141e87cff5ea62bc9ab4deffc07c615f579a976951ee7393ee495b32a3d57a724a1072f7

  • SSDEEP

    1536:VRLxhVj7D+Ihw3+bwxK0ZV6ypm6TNOQRu0US6Sd:Vb7hw3+bwxtQOOQRb0s

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1139

w4wrzaq8l.localto.net:1139
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      KeyGen.exe

    • Size

      71KB

    • MD5

      7addd5b9c97fa34625567991ad42a6b0

    • SHA1

      305a6af73234cb5d7c4fab4ecb35751af2977a8c

    • SHA256

      35b6f516e20f2d01dd638055decb824ee2d83d23d7d01fe010d92f22a0e38911

    • SHA512

      aca3379e929a38f61a3e096f74618fe761d2f0723d36f0e2bd2eb37f141e87cff5ea62bc9ab4deffc07c615f579a976951ee7393ee495b32a3d57a724a1072f7

    • SSDEEP

      1536:VRLxhVj7D+Ihw3+bwxK0ZV6ypm6TNOQRu0US6Sd:Vb7hw3+bwxtQOOQRb0s

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks