General

  • Target

    WizClient.exe

  • Size

    74KB

  • Sample

    241031-drxzfsyepj

  • MD5

    69cad671f60367927329bbd20f91bed7

  • SHA1

    9aa6c82982591ebc0c64cc94d2efaac7378bde86

  • SHA256

    dc94e48f4fd4cdf8049e6ac2ea9b65df93936015c50e26d0c8d6b2217e7d539b

  • SHA512

    bb4a49b2eada56d9d9c0fd7b7464447460e7bb84c6416f632295197562e65a456d33099799d3083684c45150ad362d036ee0eb843745272d5accab5ff9a525f4

  • SSDEEP

    1536:ObGA+5D6BRZ2Ka+QRPPN7cmKuZbN5NTEkIG6QOj89RnXqDnnl:ObGpsBRZ4d9bZbN3EAOA9RnXqLl

Malware Config

Extracted

Family

xworm

C2

141.98.252.138.224:5552

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      WizClient.exe

    • Size

      74KB

    • MD5

      69cad671f60367927329bbd20f91bed7

    • SHA1

      9aa6c82982591ebc0c64cc94d2efaac7378bde86

    • SHA256

      dc94e48f4fd4cdf8049e6ac2ea9b65df93936015c50e26d0c8d6b2217e7d539b

    • SHA512

      bb4a49b2eada56d9d9c0fd7b7464447460e7bb84c6416f632295197562e65a456d33099799d3083684c45150ad362d036ee0eb843745272d5accab5ff9a525f4

    • SSDEEP

      1536:ObGA+5D6BRZ2Ka+QRPPN7cmKuZbN5NTEkIG6QOj89RnXqDnnl:ObGpsBRZ4d9bZbN3EAOA9RnXqLl

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks