General

  • Target

    d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae.exe

  • Size

    1.0MB

  • Sample

    240522-vtepbsac4y

  • MD5

    a17247378506d83bb0d37b5c1a0f654d

  • SHA1

    5a5e0a251935ab8d9a33dee4ae96e094f18e9c0d

  • SHA256

    d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae

  • SHA512

    21977587adee27694299d8ded2cb6e4945ef0b768186bcd6c67ebc749b9255bdf34e786c4dd4369029c4692ca085e029ed7d62439acc4b5c501fd372b2f9c275

  • SSDEEP

    24576:42kQjNXFD9wX+3zH6s5K4Z3L+M8ucAv23vUPqPmP:XOOmM3L+Ruc9CP

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.133:5700

Mutex

Bg9JRZDpyEfXxrAy

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae.exe

    • Size

      1.0MB

    • MD5

      a17247378506d83bb0d37b5c1a0f654d

    • SHA1

      5a5e0a251935ab8d9a33dee4ae96e094f18e9c0d

    • SHA256

      d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae

    • SHA512

      21977587adee27694299d8ded2cb6e4945ef0b768186bcd6c67ebc749b9255bdf34e786c4dd4369029c4692ca085e029ed7d62439acc4b5c501fd372b2f9c275

    • SSDEEP

      24576:42kQjNXFD9wX+3zH6s5K4Z3L+M8ucAv23vUPqPmP:XOOmM3L+Ruc9CP

    • Detect Xworm Payload

    • UAC bypass

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

4
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Tasks