General

  • Target

    DeadPayload.exe

  • Size

    500KB

  • Sample

    241031-dx72lszngm

  • MD5

    32a460b41d3309d8fd5512dce58357d9

  • SHA1

    b83e6686de15c57184ae8b8be80d0b5b323f3712

  • SHA256

    0287c741bae11fcfebf9f7d81b1f663379f531855ef381faecdc006ef689c25c

  • SHA512

    dc8e37a4aa54519b7578247b9a95b70a446667c15f799ba30dcf14a49858ed2dfa79287476532f62d7e6c44de372dd9035e5d881794c7266dab31c6955fd15e4

  • SSDEEP

    12288:f3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:3kGTy

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

bbz3FQzIYGOJF400

Attributes
  • Install_directory

    %Public%

  • install_file

    ohh.exe

  • pastebin_url

    https://pastebin.com/raw/J09JweeH

aes.plain

Targets

    • Target

      DeadPayload.exe

    • Size

      500KB

    • MD5

      32a460b41d3309d8fd5512dce58357d9

    • SHA1

      b83e6686de15c57184ae8b8be80d0b5b323f3712

    • SHA256

      0287c741bae11fcfebf9f7d81b1f663379f531855ef381faecdc006ef689c25c

    • SHA512

      dc8e37a4aa54519b7578247b9a95b70a446667c15f799ba30dcf14a49858ed2dfa79287476532f62d7e6c44de372dd9035e5d881794c7266dab31c6955fd15e4

    • SSDEEP

      12288:f3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:3kGTy

    • Detect Xworm Payload

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks