General

  • Target

    brehmrpersonisanigger.exe

  • Size

    39KB

  • Sample

    240402-y1t95scd3y

  • MD5

    28f937e76e11c649b2b58af9c120e845

  • SHA1

    417eb23a0b0801816e164b9350ac10d14fa3c4e4

  • SHA256

    7bbaa10e1b9d408a0b2fca977347319f97cf4e5a30ffb5f0ea1c1b509cb46cfc

  • SHA512

    c8e80de4a640292286ed986533d236262d14927ea125112e7684897bfd328ac30654c2229fe66268a0c1a44e2e8e38f034d6e12c44e6ec784b19c8462d9bb6b3

  • SSDEEP

    768:vLFUSM+46o3lLJKuuwhSZPypufFWPa9bIa6POwhmaubW:vxUSM+teVJKuuwhSMEFv9bIa6POwkTS

Malware Config

Extracted

Family

xworm

Version

5.0

C2

welcome-soon.gl.at.ply.gg:12447

Mutex

58Kp4q9Iqe8gFNBV

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77MicrosoftDefender.exe

aes.plain

Targets

    • Target

      brehmrpersonisanigger.exe

    • Size

      39KB

    • MD5

      28f937e76e11c649b2b58af9c120e845

    • SHA1

      417eb23a0b0801816e164b9350ac10d14fa3c4e4

    • SHA256

      7bbaa10e1b9d408a0b2fca977347319f97cf4e5a30ffb5f0ea1c1b509cb46cfc

    • SHA512

      c8e80de4a640292286ed986533d236262d14927ea125112e7684897bfd328ac30654c2229fe66268a0c1a44e2e8e38f034d6e12c44e6ec784b19c8462d9bb6b3

    • SSDEEP

      768:vLFUSM+46o3lLJKuuwhSZPypufFWPa9bIa6POwhmaubW:vxUSM+teVJKuuwhSMEFv9bIa6POwkTS

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks