General

  • Target

    DeadPayload.exe

  • Size

    500KB

  • Sample

    241031-d3zmesygrn

  • MD5

    4a074763fefc39705063179d602cb366

  • SHA1

    e5014b2f025c9fa8a58f265fe4233c2774095496

  • SHA256

    a52cdd40e995d838593804e964976362151e99bb7ee2400368c854c32960a104

  • SHA512

    79ad341501fd56e7c542344ded704fa2fb8368a97bfca3f0d0b38ecb8cdc1f7f685a58095cd225b047c1abb972ff34ddcf996c54d2c607998868b24cd078d45e

  • SSDEEP

    12288:f3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:3kGTy

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

bbz3FQzIYGOJF400

Attributes
  • Install_directory

    %Public%

  • install_file

    ohh.exe

  • pastebin_url

    https://pastebin.com/raw/J09JweeH

aes.plain

Targets

    • Target

      DeadPayload.exe

    • Size

      500KB

    • MD5

      4a074763fefc39705063179d602cb366

    • SHA1

      e5014b2f025c9fa8a58f265fe4233c2774095496

    • SHA256

      a52cdd40e995d838593804e964976362151e99bb7ee2400368c854c32960a104

    • SHA512

      79ad341501fd56e7c542344ded704fa2fb8368a97bfca3f0d0b38ecb8cdc1f7f685a58095cd225b047c1abb972ff34ddcf996c54d2c607998868b24cd078d45e

    • SSDEEP

      12288:f3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:3kGTy

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks