General

  • Target

    notepad.exe

  • Size

    7.7MB

  • Sample

    240824-jh96bazdqd

  • MD5

    5dc898e0f4a504cf08b3bf1121108cfd

  • SHA1

    ebccf6c07546640bcd6db32d99cf3e1a30a415c9

  • SHA256

    14cd22fbf91e4e47cd635359460b65f57ebc39b68956db35b55090890b4a2dcf

  • SHA512

    a0ef35d1f21ef2703c27946a57830db25b6ad7f8d01d4439021887f82198d07a4f62417c99590deb29d0c9ea4028d84f72ee37955653f63f57dfe37c90b0db02

  • SSDEEP

    98304:BiB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJY:hcUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Extracted

Family

xworm

C2

83.38.19.195:1603

Attributes
  • Install_directory

    %Temp%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      notepad.exe

    • Size

      7.7MB

    • MD5

      5dc898e0f4a504cf08b3bf1121108cfd

    • SHA1

      ebccf6c07546640bcd6db32d99cf3e1a30a415c9

    • SHA256

      14cd22fbf91e4e47cd635359460b65f57ebc39b68956db35b55090890b4a2dcf

    • SHA512

      a0ef35d1f21ef2703c27946a57830db25b6ad7f8d01d4439021887f82198d07a4f62417c99590deb29d0c9ea4028d84f72ee37955653f63f57dfe37c90b0db02

    • SSDEEP

      98304:BiB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJY:hcUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks