General

  • Target

    e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577.exe

  • Size

    1.1MB

  • Sample

    240522-vpgywsaa69

  • MD5

    5394d35793386641283a5bb8eae359c2

  • SHA1

    78a477bc165707e1f3d6b2ce2b70aa73ffbafa23

  • SHA256

    e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577

  • SHA512

    28dda180125dd48cfac34d37e5601a5fe47ac38f2d677fd15388602fb0526f402dbf5052327b9f2700d9ecf18e95003519accfd471abae6d780edf8188bb7764

  • SSDEEP

    24576:dkNGq8rz/q6tsP05X+ef1XeMiQA+NLVtk2Otk:YGpz5X+e9TNE2O+

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

Mutex

Bg9JRZDpyEfXxrAy

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577.exe

    • Size

      1.1MB

    • MD5

      5394d35793386641283a5bb8eae359c2

    • SHA1

      78a477bc165707e1f3d6b2ce2b70aa73ffbafa23

    • SHA256

      e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577

    • SHA512

      28dda180125dd48cfac34d37e5601a5fe47ac38f2d677fd15388602fb0526f402dbf5052327b9f2700d9ecf18e95003519accfd471abae6d780edf8188bb7764

    • SSDEEP

      24576:dkNGq8rz/q6tsP05X+ef1XeMiQA+NLVtk2Otk:YGpz5X+e9TNE2O+

    • Detect Xworm Payload

    • UAC bypass

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Tasks