General

  • Target

    nvidiaProfileInspector.exe

  • Size

    1.8MB

  • Sample

    240531-xykggsah85

  • MD5

    e0b1472b85920288a66e65b48b8884b0

  • SHA1

    7a44c82977af3d1a5b4ede4075f85f2f072d6fe8

  • SHA256

    73f01444d5cbdbcbc706e18997fa4fc6274a55b5d3b3649afbecfce29e34c1c9

  • SHA512

    e574685bd3dcb0ae12eeb77a10595cb5e45edf560e7072b67402d056a985d367f8941fd96a7f603279e04621e069d1a7551ee901016fd2f17f715abe060c7e0f

  • SSDEEP

    49152:t4mYl9buIheTzaOQnKPfqoxOwatAlHyMZDOFUvy:KDl9buIheTzaOQnKPfqoxOwatiH3ZDn

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7777

45.145.41.147:7777

Mutex

5N4ZirqATbPp1e8c

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WinBackup.exe

aes.plain

Targets

    • Target

      nvidiaProfileInspector.exe

    • Size

      1.8MB

    • MD5

      e0b1472b85920288a66e65b48b8884b0

    • SHA1

      7a44c82977af3d1a5b4ede4075f85f2f072d6fe8

    • SHA256

      73f01444d5cbdbcbc706e18997fa4fc6274a55b5d3b3649afbecfce29e34c1c9

    • SHA512

      e574685bd3dcb0ae12eeb77a10595cb5e45edf560e7072b67402d056a985d367f8941fd96a7f603279e04621e069d1a7551ee901016fd2f17f715abe060c7e0f

    • SSDEEP

      49152:t4mYl9buIheTzaOQnKPfqoxOwatAlHyMZDOFUvy:KDl9buIheTzaOQnKPfqoxOwatiH3ZDn

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks