General

  • Target

    $77-X.bat

  • Size

    310KB

  • Sample

    240527-al6gvsac75

  • MD5

    0df87c21c846f4ad6db596238e9ef503

  • SHA1

    255c312dd6eeebf721f4885b0b23a6ca93a8695b

  • SHA256

    4834211e93e75693c4160a7330bcda21b24edd87a84f10a8505a6dc9ba33ff8b

  • SHA512

    00eb13d025ee21296c62214e62cc459878a5254153b3059758e819c8e1e89af06262224a3ca5008c920c97239513844739d3d2d53d49ab062badecb9d21e98f9

  • SSDEEP

    6144:6697nb6/7s4OSfQjmkHlGuBv8bfA/69hEjMN7vz:6Irbqs4BfQS+gJjA/tI5vz

Malware Config

Extracted

Family

xworm

C2

uk2.localto.net:4782

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    $77-Powershell.exe

Targets

    • Target

      $77-X.bat

    • Size

      310KB

    • MD5

      0df87c21c846f4ad6db596238e9ef503

    • SHA1

      255c312dd6eeebf721f4885b0b23a6ca93a8695b

    • SHA256

      4834211e93e75693c4160a7330bcda21b24edd87a84f10a8505a6dc9ba33ff8b

    • SHA512

      00eb13d025ee21296c62214e62cc459878a5254153b3059758e819c8e1e89af06262224a3ca5008c920c97239513844739d3d2d53d49ab062badecb9d21e98f9

    • SSDEEP

      6144:6697nb6/7s4OSfQjmkHlGuBv8bfA/69hEjMN7vz:6Irbqs4BfQS+gJjA/tI5vz

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks