General

  • Target

    Stand.Launchpad.exe

  • Size

    141KB

  • Sample

    240531-y8ybrsda42

  • MD5

    acf3d7379d3fdd94dc25a5f4fba2b7ca

  • SHA1

    473a8720850bcf01de2fa7e9f8bec974fa9ea7a5

  • SHA256

    78245f94d0b369843b5aa7d56936ffb1b035bb16a4df863cabdaf3f986081afa

  • SHA512

    722baedd9b0cc3d00b2a2743021acb29e31d58013ea47925ec95b6183117bb138cb6cd6b5edafb4b36c96a56a952936acf862d51a9baf7d2678705c43df61479

  • SSDEEP

    1536:SFsrxU3GaRSBmnC6CFTBVu3o9xML7rHIhy6PBIx2WpZGCV:uslUDgxBVUWcIy6PaxJ6CV

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes
  • Install_directory

    %AppData%

  • install_file

    Ondrive.exe

aes.plain

Targets

    • Target

      Stand.Launchpad.exe

    • Size

      141KB

    • MD5

      acf3d7379d3fdd94dc25a5f4fba2b7ca

    • SHA1

      473a8720850bcf01de2fa7e9f8bec974fa9ea7a5

    • SHA256

      78245f94d0b369843b5aa7d56936ffb1b035bb16a4df863cabdaf3f986081afa

    • SHA512

      722baedd9b0cc3d00b2a2743021acb29e31d58013ea47925ec95b6183117bb138cb6cd6b5edafb4b36c96a56a952936acf862d51a9baf7d2678705c43df61479

    • SSDEEP

      1536:SFsrxU3GaRSBmnC6CFTBVu3o9xML7rHIhy6PBIx2WpZGCV:uslUDgxBVUWcIy6PaxJ6CV

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks