General

  • Target

    XWorm V5.2.exe

  • Size

    18.2MB

  • Sample

    240905-af3h1szfme

  • MD5

    bdc4539e8060d4db24a69db716a1cec0

  • SHA1

    71c2485bf1684e73f16a213568efcaa2cb88ce6f

  • SHA256

    c39cc9aaa0311fd1f6d981e995b608b0d36e464aea09896bd17b41bbd3fc1fe6

  • SHA512

    b2411923cf5c2e4f96682f73234c409eca38b1712413ec946b1d652a4ddc266376eebe02fd6878dc3fc379eff1307f09407bc06db576c462ded08a839087eb4f

  • SSDEEP

    393216:s+gzSUAx9phaAUnQeGUPG/uVeZ/K2B1CkcDUDLHK18as0mcvow+Ax:1CwUAQQLIG/5//CFU/qO0T

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:3725

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      XWorm V5.2.exe

    • Size

      18.2MB

    • MD5

      bdc4539e8060d4db24a69db716a1cec0

    • SHA1

      71c2485bf1684e73f16a213568efcaa2cb88ce6f

    • SHA256

      c39cc9aaa0311fd1f6d981e995b608b0d36e464aea09896bd17b41bbd3fc1fe6

    • SHA512

      b2411923cf5c2e4f96682f73234c409eca38b1712413ec946b1d652a4ddc266376eebe02fd6878dc3fc379eff1307f09407bc06db576c462ded08a839087eb4f

    • SSDEEP

      393216:s+gzSUAx9phaAUnQeGUPG/uVeZ/K2B1CkcDUDLHK18as0mcvow+Ax:1CwUAQQLIG/5//CFU/qO0T

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks