General

  • Target

    x4rr.exe

  • Size

    200KB

  • Sample

    240621-h2j8kazhph

  • MD5

    68cb20861106daca8c5a347b8b4fac1b

  • SHA1

    9faa34aff1e704b593b308ca516777343b497369

  • SHA256

    ac8734f52d12c32450bd49a97fc803c730e4f03b89698bb49e9db473c7730400

  • SHA512

    9c0ff47641457dcd5d350d39e0c843568b97bb25ea45e086b9cfd2adbbcfa405ad0c2cbe18637409c7369c719e98b40984cde01e68b8a285a998dd318d33bfff

  • SSDEEP

    3072:uO2MN1EALtYwx4XqLqejJ3uW4biLseLQGfFJgcmodkUkJp9nK2jJWe96YTgWa:uIN1EAr4SeBid/eedEKMJWe96Yz

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:13576

edition-eat.gl.at.ply.gg:13576

Attributes
  • Install_directory

    %AppData%

  • install_file

    x4svchost.exe

Targets

    • Target

      x4rr.exe

    • Size

      200KB

    • MD5

      68cb20861106daca8c5a347b8b4fac1b

    • SHA1

      9faa34aff1e704b593b308ca516777343b497369

    • SHA256

      ac8734f52d12c32450bd49a97fc803c730e4f03b89698bb49e9db473c7730400

    • SHA512

      9c0ff47641457dcd5d350d39e0c843568b97bb25ea45e086b9cfd2adbbcfa405ad0c2cbe18637409c7369c719e98b40984cde01e68b8a285a998dd318d33bfff

    • SSDEEP

      3072:uO2MN1EALtYwx4XqLqejJ3uW4biLseLQGfFJgcmodkUkJp9nK2jJWe96YTgWa:uIN1EAr4SeBid/eedEKMJWe96Yz

    • Detect Xworm Payload

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks