Overview

overview

10

Static

static

3

antinashoo...32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    antinashook.zip

  • Size

    9.9MB

  • Sample

    250307-3shnlayzbv

  • MD5

    f1ad64a42933a7fa7c9b090c1894787a

  • SHA1

    475377ee153f738d1bdbe24d560d958ee62c2e18

  • SHA256

    150ac1fb1dfc122655f683b3ec40e672d815c03699fb68a69917eb7b8ae8373d

  • SHA512

    b6b263491a3234a8217dc3203d40dc1bea3518167515f2b4c8bbd3b06e9544b517a6749ed4da6818fc6f27ec9d4468f2699f56c981942ca8dd4f47648b45d266

  • SSDEEP

    196608:QG01oGGyvdaOU/dzrBC/O6Z+vGkYQJppqj/cD+YhS/W162nuOn4PEoWFARRO:QtZ1aOU/pU/O6Z+Ok7JTqbshSOIO3FA6

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Public%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/1vj9gviK

Targets

    • Target

      antinashook/WinRes32.exe

    • Size

      952KB

    • MD5

      0c7e5b83652dabf3503bf0001b329afa

    • SHA1

      b27452eb81f2e1b2958e3a9980fe35807f01f248

    • SHA256

      d2d26cfeffede48bad16333b3fb1098f2c713598c2eaf37f9894069fecdce2fe

    • SHA512

      5fe40e55382ff33642d55e738106d4e8fd78d6ee9129cb693d9c6c3025cdc30d855dba09bf4f3f932ba0e483d0e18a9eb079f357ce5c60399b54c19382007854

    • SSDEEP

      24576:g1Way//sMrF9Q0LDnjH+eQIn1J/bYbV2u6MxgndIXhagbA0Q:uyHsMrF9Q0vCeQIvTYbwu6HndIXYgbT

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks