General

  • Target

    SecuriteInfo.com.Win64.PWSX-gen.10080.20186.exe

  • Size

    1.4MB

  • Sample

    240521-g4bhrsbb8s

  • MD5

    e84bb6efc8e0ebec1826b770cfb59bd9

  • SHA1

    5fe35e0b634a95fcff997882839004a225a29bf1

  • SHA256

    2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b

  • SHA512

    562cef1a697cdb516d09341b58d790984284b6617ba5a24040b1a36ae3cd448b8857a7e5dcd1f541d5e18888fe7b525894077fce08463d5a7dfe2b00eb0de810

  • SSDEEP

    24576:uOnCbIk+tdLb0Tj3ndie/UV7EMhD6ZnlyBI0DJewitKUiVh8t6S9U8XxT9Q+FTtT:prUlH0UcBS9UutT

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

Mutex

Bg9JRZDpyEfXxrAy

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      SecuriteInfo.com.Win64.PWSX-gen.10080.20186.exe

    • Size

      1.4MB

    • MD5

      e84bb6efc8e0ebec1826b770cfb59bd9

    • SHA1

      5fe35e0b634a95fcff997882839004a225a29bf1

    • SHA256

      2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b

    • SHA512

      562cef1a697cdb516d09341b58d790984284b6617ba5a24040b1a36ae3cd448b8857a7e5dcd1f541d5e18888fe7b525894077fce08463d5a7dfe2b00eb0de810

    • SSDEEP

      24576:uOnCbIk+tdLb0Tj3ndie/UV7EMhD6ZnlyBI0DJewitKUiVh8t6S9U8XxT9Q+FTtT:prUlH0UcBS9UutT

    • Detect Xworm Payload

    • UAC bypass

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks