General

  • Target

    UltraHook.exe

  • Size

    893KB

  • Sample

    240531-2vj4rshc84

  • MD5

    efa221122fddad38326e19b1fcd3f3e2

  • SHA1

    53d92cbb4d48b7892c4671756f0e19cb27258a84

  • SHA256

    cf21cb5e211d67c2fd4f9da05036d6654f412756dbce68c171932eba347e6a14

  • SHA512

    af0ddc2da5437f6ed8cb74a312bf62adc749ae9092449969d81023f00bc5f34c4b526175189d7c2cc6666e6bf32c3f2049b52e4c4ea938ebe2a6916495f44b21

  • SSDEEP

    24576:0VDTk3iXN0xaQ9ur9hYWVqCwMmIlBKvohMSHB0LA5:uomm79kY8336o6pM

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/Jt9Xgc6v

Targets

    • Target

      UltraHook.exe

    • Size

      893KB

    • MD5

      efa221122fddad38326e19b1fcd3f3e2

    • SHA1

      53d92cbb4d48b7892c4671756f0e19cb27258a84

    • SHA256

      cf21cb5e211d67c2fd4f9da05036d6654f412756dbce68c171932eba347e6a14

    • SHA512

      af0ddc2da5437f6ed8cb74a312bf62adc749ae9092449969d81023f00bc5f34c4b526175189d7c2cc6666e6bf32c3f2049b52e4c4ea938ebe2a6916495f44b21

    • SSDEEP

      24576:0VDTk3iXN0xaQ9ur9hYWVqCwMmIlBKvohMSHB0LA5:uomm79kY8336o6pM

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks