General
-
Target
xdwd.exe
-
Size
80KB
-
Sample
240805-xf4gmsvdpm
-
MD5
3ade831c97437e1846fbf4916c3294cd
-
SHA1
54dbe45ba91a1a554c8cd807d2b55d50b4e8e4aa
-
SHA256
d08fe746864d0cd1878ae16004cb6e598ccf59b15a36110daa1fbd870a86718d
-
SHA512
7b684c6c4287bb5fdc5059a82b3599f13936417288cbb76cdbcfa100be4edac744790b8b364bc6184be3a34544d0df9c0b2ed7b61b7c5be0c36a4b3e91c9e5f7
-
SSDEEP
1536:mA8z0y19O6edHYBW8j6bZIW+MjM0aK6jOeuNDIEjh:mF39qd4b6b6Wg0OOeuyEN
Malware Config
Extracted
xworm
3.1
-
Install_directory
%LocalAppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/gf3CpGLZ
Targets
-
-
Target
xdwd.exe
-
Size
80KB
-
MD5
3ade831c97437e1846fbf4916c3294cd
-
SHA1
54dbe45ba91a1a554c8cd807d2b55d50b4e8e4aa
-
SHA256
d08fe746864d0cd1878ae16004cb6e598ccf59b15a36110daa1fbd870a86718d
-
SHA512
7b684c6c4287bb5fdc5059a82b3599f13936417288cbb76cdbcfa100be4edac744790b8b364bc6184be3a34544d0df9c0b2ed7b61b7c5be0c36a4b3e91c9e5f7
-
SSDEEP
1536:mA8z0y19O6edHYBW8j6bZIW+MjM0aK6jOeuNDIEjh:mF39qd4b6b6Wg0OOeuyEN
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1