General

  • Target

    HyperCheck.exe

  • Size

    7.6MB

  • Sample

    241029-ysymlaxqct

  • MD5

    aec82b6c2e71c32e3800caacadea13fd

  • SHA1

    0ea2ddc7b4155eeec9d82148a1c6627e28d1b2ad

  • SHA256

    edd6c81eb424b866580a48f3b2750892e589fb1c03d82e6d541483f606fcef96

  • SHA512

    755c532e65b8fbd3f0d26350089896cd52385e988713b98b040896cb099c0963d257dc53bee4595922a5387d6f9c2176f2610ebac33ae61ecc8d9038ceaf1a93

  • SSDEEP

    196608:pOFuoTJre+RwTl4dNb/Mwj43K4eeIq779EVStdVxG4eEbfXAvKte:Wuire+Rm+NnZ4f9nG4eVie

Malware Config

Extracted

Family

xworm

Version

5.0

C2

visual-cities.gl.at.ply.gg:43645

Mutex

EaL3QDVCrsRN0yYr

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    System.exe

aes.plain

Targets

    • Target

      HyperCheck.exe

    • Size

      7.6MB

    • MD5

      aec82b6c2e71c32e3800caacadea13fd

    • SHA1

      0ea2ddc7b4155eeec9d82148a1c6627e28d1b2ad

    • SHA256

      edd6c81eb424b866580a48f3b2750892e589fb1c03d82e6d541483f606fcef96

    • SHA512

      755c532e65b8fbd3f0d26350089896cd52385e988713b98b040896cb099c0963d257dc53bee4595922a5387d6f9c2176f2610ebac33ae61ecc8d9038ceaf1a93

    • SSDEEP

      196608:pOFuoTJre+RwTl4dNb/Mwj43K4eeIq779EVStdVxG4eEbfXAvKte:Wuire+Rm+NnZ4f9nG4eVie

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks