General

  • Target

    Downloader.hta

  • Size

    914B

  • Sample

    240817-1etsla1cln

  • MD5

    7561c884abc8480eebe81244128b5e83

  • SHA1

    509574cd1b5d336e349ec699fb0f9b6720971728

  • SHA256

    6eb91b5cb7628b3cc4d6012456ca0aea4a5bb69cb6eb0fbe93a89e1d28f0c650

  • SHA512

    0d162a6075e2e0ac22c3aa0d268de51c98fc6c7936e0b5891d0ccbdcc3c199056843c78eadbdab393735cec88a1568de8a9e0f3cb150a43a659cab567994a82d

Malware Config

Extracted

Family

xworm

C2

lijaligibidu-35558.portmap.host:35558

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Windows Security.exe

Targets

    • Target

      Downloader.hta

    • Size

      914B

    • MD5

      7561c884abc8480eebe81244128b5e83

    • SHA1

      509574cd1b5d336e349ec699fb0f9b6720971728

    • SHA256

      6eb91b5cb7628b3cc4d6012456ca0aea4a5bb69cb6eb0fbe93a89e1d28f0c650

    • SHA512

      0d162a6075e2e0ac22c3aa0d268de51c98fc6c7936e0b5891d0ccbdcc3c199056843c78eadbdab393735cec88a1568de8a9e0f3cb150a43a659cab567994a82d

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Download via BitsAdmin

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks