General

  • Target

    a504370334b058a77d2aeb53aec960261d6a6f4e34cda37b199f67978cbcfb89

  • Size

    3.2MB

  • Sample

    240621-cf3vwswakc

  • MD5

    5bd0be8a64177d78e328523387183790

  • SHA1

    cc1de773b27811c9cfbe327410a5b4378d7f6884

  • SHA256

    a504370334b058a77d2aeb53aec960261d6a6f4e34cda37b199f67978cbcfb89

  • SHA512

    1a868a5f9635bd3a631eec5cb98b0610f22e9434a1f9ba49396d26b62fa4327e83f3628cc70f6f426dabe431bfc3c86edd112ea17e1b73281c7d64bea9819174

  • SSDEEP

    6144:H4rsBTxAM2yERUGJyFwKVeu6Tv3fpqp9lC2FVRnAcNVK1V5dbfsop8wrkIjm:bB1fgJyrVevvpJIRA2VKTfcIi

Malware Config

Extracted

Family

xworm

Version

5.0

C2

172.93.222.235:7725

Mutex

EaDc0m9mpwzOMMwb

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      a504370334b058a77d2aeb53aec960261d6a6f4e34cda37b199f67978cbcfb89

    • Size

      3.2MB

    • MD5

      5bd0be8a64177d78e328523387183790

    • SHA1

      cc1de773b27811c9cfbe327410a5b4378d7f6884

    • SHA256

      a504370334b058a77d2aeb53aec960261d6a6f4e34cda37b199f67978cbcfb89

    • SHA512

      1a868a5f9635bd3a631eec5cb98b0610f22e9434a1f9ba49396d26b62fa4327e83f3628cc70f6f426dabe431bfc3c86edd112ea17e1b73281c7d64bea9819174

    • SSDEEP

      6144:H4rsBTxAM2yERUGJyFwKVeu6Tv3fpqp9lC2FVRnAcNVK1V5dbfsop8wrkIjm:bB1fgJyrVevvpJIRA2VKTfcIi

    • Detect Xworm Payload

    • UAC bypass

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks