General

  • Target

    Stand.Launchpad.exe

  • Size

    139KB

  • Sample

    240531-zc1yfscd61

  • MD5

    21c2b6ed573e2af143ca9abbc3e3947c

  • SHA1

    65462ec94e7a4f749cc5b81ee24eaa59f45c66c9

  • SHA256

    a7caa09c1ee4b7523ff673a2b646ec4e39c3bbe3c59b443a31e362944ac9f4de

  • SHA512

    86c56d29b04fb9007e96c3c5fe3bff16eac5974e74105ec12acd3e9f8f68eb34055571ac88ec5a15e9ba3c071d20ea1a1517f16472ba7aab406f03fd100d6db7

  • SSDEEP

    1536:6n5Jj8rRLDt0jJAJye62Ng8/rWv5jIySyV0ReTMIwDX+I5XHz12fxWhnbV:ALFrr2XjWRjEReoP112fxWhnbV

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:57023

Name1442-57023.portmap.host:57023

Attributes
  • Install_directory

    %Temp%

  • install_file

    Stand.exe

Targets

    • Target

      Stand.Launchpad.exe

    • Size

      139KB

    • MD5

      21c2b6ed573e2af143ca9abbc3e3947c

    • SHA1

      65462ec94e7a4f749cc5b81ee24eaa59f45c66c9

    • SHA256

      a7caa09c1ee4b7523ff673a2b646ec4e39c3bbe3c59b443a31e362944ac9f4de

    • SHA512

      86c56d29b04fb9007e96c3c5fe3bff16eac5974e74105ec12acd3e9f8f68eb34055571ac88ec5a15e9ba3c071d20ea1a1517f16472ba7aab406f03fd100d6db7

    • SSDEEP

      1536:6n5Jj8rRLDt0jJAJye62Ng8/rWv5jIySyV0ReTMIwDX+I5XHz12fxWhnbV:ALFrr2XjWRjEReoP112fxWhnbV

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks