General

  • Target

    conhost.exe

  • Size

    37KB

  • Sample

    240601-l945gsae93

  • MD5

    b37dd1a1f0507baf993471ae1b7a314c

  • SHA1

    9aff9d71492ffff8d51f8e8d67f5770755899882

  • SHA256

    e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

  • SHA512

    ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

  • SSDEEP

    384:QLkOcLcXlZqfeKcNUdowdFW6rHpE4LvCyzo8y9rcvxeXCm789LlrrpkFA+LT79LB:mko/ma6h6rV1EJKFV9XI6ROhh1JYDR

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes
  • Install_directory

    %AppData%

  • install_file

    Ondrive.exe

aes.plain

Targets

    • Target

      conhost.exe

    • Size

      37KB

    • MD5

      b37dd1a1f0507baf993471ae1b7a314c

    • SHA1

      9aff9d71492ffff8d51f8e8d67f5770755899882

    • SHA256

      e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

    • SHA512

      ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

    • SSDEEP

      384:QLkOcLcXlZqfeKcNUdowdFW6rHpE4LvCyzo8y9rcvxeXCm789LlrrpkFA+LT79LB:mko/ma6h6rV1EJKFV9XI6ROhh1JYDR

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks