Overview

overview

10

Static

static

3

542ddd41bf...96.exe

windows7-x64

10

542ddd41bf...96.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f6a8c9894f707a594a924f4c197f0f2a.bin

  • Size

    1016KB

  • Sample

    240701-ermddswbqf

  • MD5

    cb3fc618f616cb7eb490282507fda944

  • SHA1

    55f846b5ac847b3431b2282f8606402d0b624d1a

  • SHA256

    041b2ea848079aab1e0b6bd1a6cf2a89e005b88b8ec2186c349f9f2a8ef0c08c

  • SHA512

    c7613c47adce3ed72d7d205326b5f1854b816c287d7393ea0b938513226273594acfaf5774c3fccba80e69887ca9ac116bb2249f1c979cad73dd695b081dee88

  • SSDEEP

    24576:C8LhunDDLg6q48sLnLh/GTLZIoF/shuUdAiW3bV3i6YJJ2:CtOeLhefZIqZj3i6YJQ

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

twart.myfirewall.org:59012

Mutex

gOdjUs2unoOU0NeI

Attributes
  • Install_directory

    %AppData%

  • install_file

    windows.exe

aes.plain

Targets

    • Target

      542ddd41bf8603c95458d6c2c15e1a0cff107fbabac55b69b92bd40fd8bf1696.exe

    • Size

      2.1MB

    • MD5

      f6a8c9894f707a594a924f4c197f0f2a

    • SHA1

      a6cd353fe512a4f1c6d74064979f4475c574ddd7

    • SHA256

      542ddd41bf8603c95458d6c2c15e1a0cff107fbabac55b69b92bd40fd8bf1696

    • SHA512

      a9e8a3d1705b7f95944a406f7639c07497ae50b9a11b9f77304bcb1d33cda4f3a05c831b47206d153da7c7d9eae22b84e0a17b9aae0ee1f36784acf4b63951b4

    • SSDEEP

      49152:jF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUWeaw1GmNOm/:XroA7PDa

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks