Overview

overview

10

Static

static

3

SoundpadCrack.exe

windows7-x64

8

SoundpadCrack.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SoundpadCrack.exe

  • Size

    8.7MB

  • Sample

    240629-14q31a1dnj

  • MD5

    c0aeb81be9a7f88af4a36e3e646dc3c5

  • SHA1

    94817a864fb081074a7791a5d1ba118cf47a956d

  • SHA256

    054f6d798fd4a1ec3277da62d9e8e7dd7442cf2987ae28578381bdcb786342dd

  • SHA512

    88467c8e039175668804d2449c9036ca88ccb4406dd42f20b85c0562dd89e8df7eb6de0f55208f121d5755ea1d107615f3c277fb5bb9a5119a054c1ab99e330c

  • SSDEEP

    196608:V3GEsUvU3MyTpgJQLpdXk5AvRkYNd012erwKnFdZlGP1+H4mbqRHXjF:9sUMZTpgn5Ah3ozZlGNZI83h

Score
10/10
xwormexecutionpersistenceprivilege_escalationrattrojanupx

Malware Config

Extracted

Family

xworm

Version

5.0

C2

might-hk.gl.at.ply.gg:42295

Mutex

07x0yTqR2FSkwbSm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    systemprocess.exe

aes.plain

Targets

    • Target

      SoundpadCrack.exe

    • Size

      8.7MB

    • MD5

      c0aeb81be9a7f88af4a36e3e646dc3c5

    • SHA1

      94817a864fb081074a7791a5d1ba118cf47a956d

    • SHA256

      054f6d798fd4a1ec3277da62d9e8e7dd7442cf2987ae28578381bdcb786342dd

    • SHA512

      88467c8e039175668804d2449c9036ca88ccb4406dd42f20b85c0562dd89e8df7eb6de0f55208f121d5755ea1d107615f3c277fb5bb9a5119a054c1ab99e330c

    • SSDEEP

      196608:V3GEsUvU3MyTpgJQLpdXk5AvRkYNd012erwKnFdZlGP1+H4mbqRHXjF:9sUMZTpgn5Ah3ozZlGNZI83h

    Score
    10/10
    executionpersistenceprivilege_escalationupxxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks