General

  • Target

    systeminformer.bat

  • Size

    408KB

  • Sample

    240627-jcsdbayfje

  • MD5

    34d172bddcf176f4a3c85f2b8083850c

  • SHA1

    6e4fd033d2ed62b464db43b6af1f5bb0e9283a46

  • SHA256

    ecb640f4a29fea8d3fb020aa2b41bdc446703c4b1ede6b5c72621229b270bf42

  • SHA512

    c52171f7c68902cfe5da18b2a76a59c5a27f1cec92ee330f57f18f9b257079b49d5ff445f4251ad13ba5886e274d5286e062c39cac3a77bbef71909502ab3516

  • SSDEEP

    12288:z4MdFDVqDtPSt2dbWRZpti8C6lhzFAxsbmC:z4UoSCAjti8C6l9eHC

Malware Config

Extracted

Family

xworm

C2

case-shield.gl.at.ply.gg:26501

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    system.exe

Targets

    • Target

      systeminformer.bat

    • Size

      408KB

    • MD5

      34d172bddcf176f4a3c85f2b8083850c

    • SHA1

      6e4fd033d2ed62b464db43b6af1f5bb0e9283a46

    • SHA256

      ecb640f4a29fea8d3fb020aa2b41bdc446703c4b1ede6b5c72621229b270bf42

    • SHA512

      c52171f7c68902cfe5da18b2a76a59c5a27f1cec92ee330f57f18f9b257079b49d5ff445f4251ad13ba5886e274d5286e062c39cac3a77bbef71909502ab3516

    • SSDEEP

      12288:z4MdFDVqDtPSt2dbWRZpti8C6lhzFAxsbmC:z4UoSCAjti8C6l9eHC

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks