General

  • Target

    Swift copy.exe

  • Size

    619KB

  • Sample

    240521-nw8lvsce2t

  • MD5

    458f7cbc40f24ca3257cb3803f1a817c

  • SHA1

    419fdb34bacf7fcc9b955bdbca7e4cf9d03e6877

  • SHA256

    bb57a345bfddb2a779d447fb1f34b36bf08d70793be2705d95244254e264e1e2

  • SHA512

    4f4da09b4a42440b0bb8e0e17b313c2b9450456f8ef4469e6f060554ee70fe6f7cef8de30dd72147702e1ec76190276c9d162a2c1492918f600142575f83cff9

  • SSDEEP

    12288:6WET/mr9K+22BEEzFatnd/WeHK4KMSMOV4Tu4Cbpb3W/KuBvnqMUpeNW/:6Wtb3BE/Zq4KJLGT/6bG

Malware Config

Extracted

Family

xworm

Version

3.1

C2

baldur1.duckdns.org:3360

Mutex

99lkUMNvqj7gQA4z

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Swift copy.exe

    • Size

      619KB

    • MD5

      458f7cbc40f24ca3257cb3803f1a817c

    • SHA1

      419fdb34bacf7fcc9b955bdbca7e4cf9d03e6877

    • SHA256

      bb57a345bfddb2a779d447fb1f34b36bf08d70793be2705d95244254e264e1e2

    • SHA512

      4f4da09b4a42440b0bb8e0e17b313c2b9450456f8ef4469e6f060554ee70fe6f7cef8de30dd72147702e1ec76190276c9d162a2c1492918f600142575f83cff9

    • SSDEEP

      12288:6WET/mr9K+22BEEzFatnd/WeHK4KMSMOV4Tu4Cbpb3W/KuBvnqMUpeNW/:6Wtb3BE/Zq4KJLGT/6bG

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks