General

  • Target

    Wiz_Executor.exe

  • Size

    214KB

  • Sample

    240526-x3kytaha3x

  • MD5

    3796bc1f3419e1303eaf1849636fcada

  • SHA1

    6d2125ce2b8adf4339fc3303143e99baf1061e84

  • SHA256

    7ebd9a91b5cb8f85b9f06edb2b10bcc7a3e40c893c931c464d529bfe2944675b

  • SHA512

    64d906b61c027f910facf99a824f8977863e4d8a7642847c25f2bbf0dcc145cb7ccf8e293d618b9c784d2cf1f1e508952ab886077b146a0447329ec185204cf1

  • SSDEEP

    3072:TahKyd2n31q5GWp1icKAArDZz4N9GhbkrNEk16U63TSlmC46ST9KBKFIT:TahOyp0yN90QE1U63TSq6o++0

Malware Config

Extracted

Family

xworm

C2

wiz.bounceme.net:6000

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Wiz_Executor.exe

    • Size

      214KB

    • MD5

      3796bc1f3419e1303eaf1849636fcada

    • SHA1

      6d2125ce2b8adf4339fc3303143e99baf1061e84

    • SHA256

      7ebd9a91b5cb8f85b9f06edb2b10bcc7a3e40c893c931c464d529bfe2944675b

    • SHA512

      64d906b61c027f910facf99a824f8977863e4d8a7642847c25f2bbf0dcc145cb7ccf8e293d618b9c784d2cf1f1e508952ab886077b146a0447329ec185204cf1

    • SSDEEP

      3072:TahKyd2n31q5GWp1icKAArDZz4N9GhbkrNEk16U63TSlmC46ST9KBKFIT:TahOyp0yN90QE1U63TSq6o++0

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks