General

  • Target

    WizClient5.exe

  • Size

    73KB

  • Sample

    240522-zqmyragc5z

  • MD5

    d1f0deefdb07b39c1e18729e4af99f9f

  • SHA1

    42aeb2f9ca2230bab8d731f31f812e83b33a2203

  • SHA256

    324217674377be614ac6cdb886d3daef10d68842061a90df2430faf281076898

  • SHA512

    67dc09db1b8d4dff43efa7f65c4cbca12e8a4cb2e187eb5632dab1e3c7ea268e4527a8dba416da1c92fe3fbe9e6b0337a0fea226083f4fb2cab69a7f01db00eb

  • SSDEEP

    1536:GUxpUnNr95mi/T+TbyObuR1rLjQM+0bAPCI68UOTmvRKJe4/:GUMNxTqTmObm174lLUOw8Jj/

Malware Config

Extracted

Family

xworm

C2

192.168.68.100:5552

wiz.bounceme.net:6000

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      WizClient5.exe

    • Size

      73KB

    • MD5

      d1f0deefdb07b39c1e18729e4af99f9f

    • SHA1

      42aeb2f9ca2230bab8d731f31f812e83b33a2203

    • SHA256

      324217674377be614ac6cdb886d3daef10d68842061a90df2430faf281076898

    • SHA512

      67dc09db1b8d4dff43efa7f65c4cbca12e8a4cb2e187eb5632dab1e3c7ea268e4527a8dba416da1c92fe3fbe9e6b0337a0fea226083f4fb2cab69a7f01db00eb

    • SSDEEP

      1536:GUxpUnNr95mi/T+TbyObuR1rLjQM+0bAPCI68UOTmvRKJe4/:GUMNxTqTmObm174lLUOw8Jj/

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks