General

  • Target

    sem.exe

  • Size

    76KB

  • Sample

    240527-mb2r5sgc3s

  • MD5

    15966aaa6973e8710c21dbb9d232a5f2

  • SHA1

    99436fb15633ea4331872cacdcbde492df30dda1

  • SHA256

    ccf87c21e3783012b150a710bf7007ea3aac1b3cb6d2855a1fd78b40f0175da9

  • SHA512

    f35926607346f3472268a3c4f3106a929470211d47bd58230ac3e432208af204e4350a56fe7ec80865fbe80809c32a034cf356ce4db96fb57be6e9cf55da85fd

  • SSDEEP

    1536:krzQk6CJhnmHVC6KmzOAtdS2M6+bmoffx3HI3a6667chxVOuDErJB:SACbi06KNAtdSc+bmQ4qu7chxVOuDEdB

Malware Config

Extracted

Family

xworm

C2

sent-down.gl.at.ply.gg:2905

Attributes
  • Install_directory

    %AppData%

  • install_file

    sys.exe

Targets

    • Target

      sem.exe

    • Size

      76KB

    • MD5

      15966aaa6973e8710c21dbb9d232a5f2

    • SHA1

      99436fb15633ea4331872cacdcbde492df30dda1

    • SHA256

      ccf87c21e3783012b150a710bf7007ea3aac1b3cb6d2855a1fd78b40f0175da9

    • SHA512

      f35926607346f3472268a3c4f3106a929470211d47bd58230ac3e432208af204e4350a56fe7ec80865fbe80809c32a034cf356ce4db96fb57be6e9cf55da85fd

    • SSDEEP

      1536:krzQk6CJhnmHVC6KmzOAtdS2M6+bmoffx3HI3a6667chxVOuDErJB:SACbi06KNAtdSc+bmQ4qu7chxVOuDEdB

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks