General

  • Target

    start.exe

  • Size

    45KB

  • Sample

    240525-j3lnfsbe28

  • MD5

    4c5b426c09fb2da1939cb77594dbfbe5

  • SHA1

    a423cd7319fbb3e95dfb7dca7744c14091c9a5df

  • SHA256

    b68fc7ea0cfca083aa1a0485d4410db801ed1105bc8fe33fc258e7bef56894e9

  • SHA512

    ec4875d71d652e8e2de598bb9122cff16723712f7af3e32b7716a92cc1d32005124b4ebd28e7cafc299580b19e17f9295f81236692f2aa09408164a5590b13b9

  • SSDEEP

    768:8urlDweV3OOVbADM9W1v9NfgkBpuAuREcNclblVvD4xeVhKfkeLbFEPa9pv5f6iJ:8ADweQKADMkV9GkSAcRaNlZrO1/FJ9N3

Malware Config

Extracted

Family

xworm

Version

5.0

C2

0.tcp.eu.ngrok.io:11614

Mutex

d3YsjeOcB3LIFyRk

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

aes.plain

Targets

    • Target

      start.exe

    • Size

      45KB

    • MD5

      4c5b426c09fb2da1939cb77594dbfbe5

    • SHA1

      a423cd7319fbb3e95dfb7dca7744c14091c9a5df

    • SHA256

      b68fc7ea0cfca083aa1a0485d4410db801ed1105bc8fe33fc258e7bef56894e9

    • SHA512

      ec4875d71d652e8e2de598bb9122cff16723712f7af3e32b7716a92cc1d32005124b4ebd28e7cafc299580b19e17f9295f81236692f2aa09408164a5590b13b9

    • SSDEEP

      768:8urlDweV3OOVbADM9W1v9NfgkBpuAuREcNclblVvD4xeVhKfkeLbFEPa9pv5f6iJ:8ADweQKADMkV9GkSAcRaNlZrO1/FJ9N3

    • Detect Xworm Payload

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks