General

  • Target

    Shreks_Injector.vbs

  • Size

    95KB

  • Sample

    240328-b3jvvscg2w

  • MD5

    78da80f828aa97105adae3e5c28dfbfc

  • SHA1

    3e24eeb56cdb87f92ef3827487b6340be530c13e

  • SHA256

    3a4cab2ddcd3d404a46bc4545feb4422937bbb2ba550bfdd02577de41d0180bb

  • SHA512

    53ebf27a9b54a3205df517434fbd38ce5d3487420f12730f018fe6ce625365f76b1cf8744e16a8e242e64534431c60a8ad1019818ea2dfd4ab040681d43bed29

  • SSDEEP

    1536:h6Bdta8gOgdQpwaYbR6dXxkeVQdeEtJOEyEeUVx2B7xC0659FLjk8i9CUi/:h6Bdta8gzCFwwXmwY1QEyI2reHN8CUw

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      Shreks_Injector.vbs

    • Size

      95KB

    • MD5

      78da80f828aa97105adae3e5c28dfbfc

    • SHA1

      3e24eeb56cdb87f92ef3827487b6340be530c13e

    • SHA256

      3a4cab2ddcd3d404a46bc4545feb4422937bbb2ba550bfdd02577de41d0180bb

    • SHA512

      53ebf27a9b54a3205df517434fbd38ce5d3487420f12730f018fe6ce625365f76b1cf8744e16a8e242e64534431c60a8ad1019818ea2dfd4ab040681d43bed29

    • SSDEEP

      1536:h6Bdta8gOgdQpwaYbR6dXxkeVQdeEtJOEyEeUVx2B7xC0659FLjk8i9CUi/:h6Bdta8gzCFwwXmwY1QEyI2reHN8CUw

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Modifies Windows Defender Real-time Protection settings

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Modifies Installed Components in the registry

    • Drops startup file

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks