General

  • Target

    Op menu.exe

  • Size

    39KB

  • Sample

    240621-mjg3pswcra

  • MD5

    3289f3423a4d15e142fe765710bf8580

  • SHA1

    155fa5b3a1e083f9175d3d8c8b2441f06eaadc17

  • SHA256

    a73192efa9195222589d66b2e229f4e5bfe6d0f5cbbc0f2a582cd74e1fcc8d78

  • SHA512

    3a09102eabaf035e78b34c9fac48362a4ca13c5b643ee799ede64eb4dbee8e918c2a51e298e9d5c03f8a45c1e692f5bf439307460107b9d8e06ffc80547b1987

  • SSDEEP

    768:n06VXEkRmv/OevQZ944KYrF0Kf9AFWP993z6dOMhdQs6MR:0uEkIXOhO00pFa93z6dOMHlhR

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

znvHMOP3GC3AYtf0

Attributes
  • Install_directory

    %AppData%

  • install_file

    Github Update.exe

  • pastebin_url

    https://pastebin.com/raw/2N4dpuHG

aes.plain

Targets

    • Target

      Op menu.exe

    • Size

      39KB

    • MD5

      3289f3423a4d15e142fe765710bf8580

    • SHA1

      155fa5b3a1e083f9175d3d8c8b2441f06eaadc17

    • SHA256

      a73192efa9195222589d66b2e229f4e5bfe6d0f5cbbc0f2a582cd74e1fcc8d78

    • SHA512

      3a09102eabaf035e78b34c9fac48362a4ca13c5b643ee799ede64eb4dbee8e918c2a51e298e9d5c03f8a45c1e692f5bf439307460107b9d8e06ffc80547b1987

    • SSDEEP

      768:n06VXEkRmv/OevQZ944KYrF0Kf9AFWP993z6dOMhdQs6MR:0uEkIXOhO00pFa93z6dOMHlhR

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks