General

  • Target

    Celex.exe

  • Size

    6.8MB

  • Sample

    240622-j1421s1hka

  • MD5

    d550b8fbf57f2876c8308c7fd52025e6

  • SHA1

    1933ff94dd7de1cbe01e71154053b7e46b1f61fb

  • SHA256

    0693684117df72f1c9ac9d4f84548c76de7bfc73f8abf41fc28f65767fe5ffad

  • SHA512

    63affe3499e5e371adff4b48898d36b09128c60d8f56e7593175fd4a4347f23b053601337633606e863a1497038775338bc3f3c6033eafbedb69f84dc372b510

  • SSDEEP

    196608:r3e3zeuPjIZyjUUM4QF8I6uDYoY5O8isZi2htfF:r3eL2yjP9QWygO8isZi2jfF

Malware Config

Extracted

Family

xworm

C2

185.216.70.22:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    GoogleUpdateCore.exe

Targets

    • Target

      Celex.exe

    • Size

      6.8MB

    • MD5

      d550b8fbf57f2876c8308c7fd52025e6

    • SHA1

      1933ff94dd7de1cbe01e71154053b7e46b1f61fb

    • SHA256

      0693684117df72f1c9ac9d4f84548c76de7bfc73f8abf41fc28f65767fe5ffad

    • SHA512

      63affe3499e5e371adff4b48898d36b09128c60d8f56e7593175fd4a4347f23b053601337633606e863a1497038775338bc3f3c6033eafbedb69f84dc372b510

    • SSDEEP

      196608:r3e3zeuPjIZyjUUM4QF8I6uDYoY5O8isZi2htfF:r3eL2yjP9QWygO8isZi2jfF

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks