General

  • Target

    DeadPayload.exe

  • Size

    500KB

  • Sample

    241031-dvstxaxkfx

  • MD5

    efd4fd7f3ed3bec39023550079bcc221

  • SHA1

    8e1a28db749991fdff8bd8247b3b91010388d7af

  • SHA256

    cb0d4f6c20eb759e8a8c6f39546d01dbd1dc9ab1576b386f0375314e8a177345

  • SHA512

    33c6d6070fa4213988973fc719fcd40ba1cb18cdbfb08e105d4b346a22be7247f4362456fd13a302055ec30cc61220d4b53bddfb188b03eb1e8b0af6e5b61120

  • SSDEEP

    12288:E3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:+kGTy

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

bbz3FQzIYGOJF400

Attributes
  • Install_directory

    %Public%

  • install_file

    ohh.exe

  • pastebin_url

    https://pastebin.com/raw/J09JweeH

aes.plain

Targets

    • Target

      DeadPayload.exe

    • Size

      500KB

    • MD5

      efd4fd7f3ed3bec39023550079bcc221

    • SHA1

      8e1a28db749991fdff8bd8247b3b91010388d7af

    • SHA256

      cb0d4f6c20eb759e8a8c6f39546d01dbd1dc9ab1576b386f0375314e8a177345

    • SHA512

      33c6d6070fa4213988973fc719fcd40ba1cb18cdbfb08e105d4b346a22be7247f4362456fd13a302055ec30cc61220d4b53bddfb188b03eb1e8b0af6e5b61120

    • SSDEEP

      12288:E3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:+kGTy

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks