General

  • Target

    Output.exe

  • Size

    122KB

  • Sample

    240622-hznsza1dna

  • MD5

    3d9f689b6c9aa9ef3fcbc647f044dacc

  • SHA1

    641d0f75de3e5e88f65b13cee6f804f3572b4daf

  • SHA256

    20beb07629c53d1220308f60b755f092a18b8704c0b0a287f03a44d8dd746bbe

  • SHA512

    95748151d86c98a77bce771c5316e113b2820d3869278e3cbe4dabdd784ccb629f9b948f0865fc9f0b13777482cfe61f6093fb4edcec98f82104412678cbb1a1

  • SSDEEP

    3072:fptPBm8KL29+j/w9NgAwBzuNGKrOA+t9L05q4JMFEm:htZm8KL29+j/w92/gGIH+nLOJJMFE

Malware Config

Extracted

Family

xworm

Version

3.0

C2

seems-radio.gl.at.ply.gg:2519

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Extracted

Family

xworm

Version

5.0

C2

147.185.221.20:33255

Mutex

L38G3mo1mQdyxT1M

Attributes
  • Install_directory

    %Public%

  • install_file

    Discord.exe

aes.plain

Targets

    • Target

      Output.exe

    • Size

      122KB

    • MD5

      3d9f689b6c9aa9ef3fcbc647f044dacc

    • SHA1

      641d0f75de3e5e88f65b13cee6f804f3572b4daf

    • SHA256

      20beb07629c53d1220308f60b755f092a18b8704c0b0a287f03a44d8dd746bbe

    • SHA512

      95748151d86c98a77bce771c5316e113b2820d3869278e3cbe4dabdd784ccb629f9b948f0865fc9f0b13777482cfe61f6093fb4edcec98f82104412678cbb1a1

    • SSDEEP

      3072:fptPBm8KL29+j/w9NgAwBzuNGKrOA+t9L05q4JMFEm:htZm8KL29+j/w92/gGIH+nLOJJMFE

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks