General

  • Target

    DeadPayload.exe

  • Size

    500KB

  • Sample

    241031-dz7hvsygln

  • MD5

    6659a78bb41c4dcb180337d53b4b78ef

  • SHA1

    bfa60020724f02bf302c35b46c114ee771c0bffd

  • SHA256

    ee77265662c507c67f8e93d22176cef757d249f59b6f86954b8dfeb497f54019

  • SHA512

    e04fc2d838c849520d42ce7274d6af5d0d792ee0523ea5f0685b0fc7e67e2736ed6f764c908b08830c5fdb643ffcd4810993b77dd66decf7549dc65e8277f4bb

  • SSDEEP

    12288:X3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:PkGTy

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

bbz3FQzIYGOJF400

Attributes
  • Install_directory

    %Public%

  • install_file

    ohh.exe

  • pastebin_url

    https://pastebin.com/raw/J09JweeH

aes.plain

Targets

    • Target

      DeadPayload.exe

    • Size

      500KB

    • MD5

      6659a78bb41c4dcb180337d53b4b78ef

    • SHA1

      bfa60020724f02bf302c35b46c114ee771c0bffd

    • SHA256

      ee77265662c507c67f8e93d22176cef757d249f59b6f86954b8dfeb497f54019

    • SHA512

      e04fc2d838c849520d42ce7274d6af5d0d792ee0523ea5f0685b0fc7e67e2736ed6f764c908b08830c5fdb643ffcd4810993b77dd66decf7549dc65e8277f4bb

    • SSDEEP

      12288:X3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd7:PkGTy

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks