General

  • Target

    $77-Loader.exe

  • Size

    269KB

  • Sample

    240527-ak9g5ahc9s

  • MD5

    1e5dca7624bede5defb3006616566321

  • SHA1

    cebd46b0517f0081238f22f848bb1c98e88a7d29

  • SHA256

    ad154938cd996370a456640152ef662faf363af1382bce7c31ece36a1d77a2ec

  • SHA512

    2aaa992f1dececb7a9f1f56c120470a33317370e0897229425b3fdd9a1a3f46639b31481d6fdf784c99874a05e1cb1dbf99db089e8affdb6daa553d5f279bc0c

  • SSDEEP

    6144:4kGh0ZB3HzbQ+1GCs2K3w1M999YVz62r3S2k:4kLRl1GCsJ2M322

Malware Config

Extracted

Family

xworm

C2

uk2.localto.net:9979

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    $77-Powershell.exe

Targets

    • Target

      $77-Loader.exe

    • Size

      269KB

    • MD5

      1e5dca7624bede5defb3006616566321

    • SHA1

      cebd46b0517f0081238f22f848bb1c98e88a7d29

    • SHA256

      ad154938cd996370a456640152ef662faf363af1382bce7c31ece36a1d77a2ec

    • SHA512

      2aaa992f1dececb7a9f1f56c120470a33317370e0897229425b3fdd9a1a3f46639b31481d6fdf784c99874a05e1cb1dbf99db089e8affdb6daa553d5f279bc0c

    • SSDEEP

      6144:4kGh0ZB3HzbQ+1GCs2K3w1M999YVz62r3S2k:4kLRl1GCsJ2M322

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks