General

  • Target

    c3f26d18690f3fbdf70643c3eb07ac52.bin

  • Size

    512KB

  • Sample

    240621-d1yx4s1ejk

  • MD5

    632bf75a37f95d778edb9456c7025869

  • SHA1

    2540cf9606f78d63c6a550f4b96c41eece95bdf7

  • SHA256

    df6899275995a1100f0eb1663653331ad83784e780685c56c4dfb4e67bddbc0f

  • SHA512

    17ea3f3b4147e602623d6b1d9fe2dd8f208354b76f470e9d2537ee5e5c4a2c98254652c6f33a70074f4344ce8eca2d22ab57e739f80bb26154df994df231dee6

  • SSDEEP

    12288:dQOxAzEHnrUy0nriKLp7sQYIZ9bru+rZgw7lQCDUa:SOrUy02Yxee9NZgolQ0

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7733

104.161.80.204:7733

Mutex

MG4IVIlXWOE4zUxO

Attributes
  • Install_directory

    %AppData%

  • install_file

    System.exe

aes.plain

Targets

    • Target

      aadf3698e4ec98b1fae321c2e2b4119f293faca1667d4eaf33a6718bef05b882.exe

    • Size

      2.8MB

    • MD5

      c3f26d18690f3fbdf70643c3eb07ac52

    • SHA1

      522a1bedd8ded607d0fa33f62546dc817704fbe4

    • SHA256

      aadf3698e4ec98b1fae321c2e2b4119f293faca1667d4eaf33a6718bef05b882

    • SHA512

      bdf6217ba6bcd5804520ccf6d43ca8ff9ba3e3c95b4b709e75a96414311b57a9b9a2804c6b4139b4a450dff005e4ada5dbc0d16e5c73ccbeccffba96a05a2b20

    • SSDEEP

      12288:ovUaGJweHZoIhci08NaWpPIOjBl8TitgkFoY8410ALEwlKn:EmjZeZIVpgO9l8vx5BIcn

    • Detect Xworm Payload

    • UAC bypass

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks