General

  • Target

    Everything.exe

  • Size

    52KB

  • Sample

    240530-yry7qsha3t

  • MD5

    1c11d26c04f12d0aa0adb5eba5b66a33

  • SHA1

    94ddd2eaec2a90c275f8c81a9b160a793b941620

  • SHA256

    869206cacc085d36961241dfb05e7a723b032cbba0a403f5c02756b699ce2d80

  • SHA512

    b02998138ed32e9cf5d87b9040d82f3f738eda42a462e5322bc572d4f572a93704227b5d7b5f9f4e025084b741392214b75d2f0d427eb2a426ad751edcd3c7b6

  • SSDEEP

    1536:3VWI8/Kz8cY1h3s5XH7XGsbD/j/Bdj6YO89+:YI8M8GXvbD/9HO89+

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    Runtime Broker.exe

  • pastebin_url

    https://pastebin.com/raw/kYPYyCCf

Targets

    • Target

      Everything.exe

    • Size

      52KB

    • MD5

      1c11d26c04f12d0aa0adb5eba5b66a33

    • SHA1

      94ddd2eaec2a90c275f8c81a9b160a793b941620

    • SHA256

      869206cacc085d36961241dfb05e7a723b032cbba0a403f5c02756b699ce2d80

    • SHA512

      b02998138ed32e9cf5d87b9040d82f3f738eda42a462e5322bc572d4f572a93704227b5d7b5f9f4e025084b741392214b75d2f0d427eb2a426ad751edcd3c7b6

    • SSDEEP

      1536:3VWI8/Kz8cY1h3s5XH7XGsbD/j/Bdj6YO89+:YI8M8GXvbD/9HO89+

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks