General

  • Target

    DECODE.cmd

  • Size

    45B

  • Sample

    240622-ejba6axanh

  • MD5

    192fb1216e724815c62a31a0e982695c

  • SHA1

    7de5d0f2254c6798f63223a4325cc77558b075eb

  • SHA256

    b1c0500a672ae53b1b166ee3840d0bfdc072ebce461c6b5d0343d5d46a7bead2

  • SHA512

    3d6c7fc11d6ff0991f2973673c59a1b92e90671227bc3001ee0f4ddc1868fee2102a1c1f4cfc9e81836958f19ddd31ca3235d3cb7af937915dae4bc3846d089c

Malware Config

Extracted

Family

xworm

C2

147.185.221.18:41012

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USBhelper.exe

Extracted

Family

xworm

Version

3.1

C2

adult-purchased.gl.at.ply.gg:13795

Mutex

JkvPSJefttV1yu2t

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      DECODE.cmd

    • Size

      45B

    • MD5

      192fb1216e724815c62a31a0e982695c

    • SHA1

      7de5d0f2254c6798f63223a4325cc77558b075eb

    • SHA256

      b1c0500a672ae53b1b166ee3840d0bfdc072ebce461c6b5d0343d5d46a7bead2

    • SHA512

      3d6c7fc11d6ff0991f2973673c59a1b92e90671227bc3001ee0f4ddc1868fee2102a1c1f4cfc9e81836958f19ddd31ca3235d3cb7af937915dae4bc3846d089c

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks