General

  • Target

    setup.exe

  • Size

    73KB

  • Sample

    240622-ngnm5swckd

  • MD5

    9003126cef8cf36eca17f1e51eaf8394

  • SHA1

    6f7941dc4c5bb1818a519482537ea231e4ba8ab8

  • SHA256

    ac30d7a03c46c90f1f8270ac6dc2a7001373b2b16567d7753f174fd33c047ed2

  • SHA512

    eacfc7a4030cbaab1926d660b5ea2fa69d9ba2e18bb690822bab474b9fb296d49150af25a8565dd51ad3a4d4da648e365610969829835d480fce4e16b0285dac

  • SSDEEP

    1536:mPN8fc4tabwG764lxyTfogb8cCijEnxH8w6nNOON3c7G:UN8f9abwGLHyZb876qWVNOON6G

Malware Config

Extracted

Family

xworm

C2

sebeee-39917.portmap.io:39917

Attributes
  • Install_directory

    %AppData%

  • install_file

    RuntimeBroker.exe

Targets

    • Target

      setup.exe

    • Size

      73KB

    • MD5

      9003126cef8cf36eca17f1e51eaf8394

    • SHA1

      6f7941dc4c5bb1818a519482537ea231e4ba8ab8

    • SHA256

      ac30d7a03c46c90f1f8270ac6dc2a7001373b2b16567d7753f174fd33c047ed2

    • SHA512

      eacfc7a4030cbaab1926d660b5ea2fa69d9ba2e18bb690822bab474b9fb296d49150af25a8565dd51ad3a4d4da648e365610969829835d480fce4e16b0285dac

    • SSDEEP

      1536:mPN8fc4tabwG764lxyTfogb8cCijEnxH8w6nNOON3c7G:UN8f9abwGLHyZb876qWVNOON6G

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks