General

  • Target

    DeadPayload.exe

  • Size

    500KB

  • Sample

    241031-kp5d3svgpp

  • MD5

    e17572fbbaaf169d770ca00615cf6cc7

  • SHA1

    d24f1684ecbf1d3733a5d906e83169432997aa4c

  • SHA256

    8fc4d440c39b198722e1199f55abca65905b16a84f9df5538aacee5ffe621a47

  • SHA512

    eae7205a4be7b5eec23de08333183df63624c280d544389ad9a893e4dd80ff2890156a8ae3aa0d184c19d000ff345506b9b060963573a8f6a2e903644e6b6b09

  • SSDEEP

    12288:33DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sdzO:vkGTy

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

QgVg78qW15uIsQ4H

Attributes
  • Install_directory

    %Public%

  • install_file

    ohh.exe

  • pastebin_url

    https://pastebin.com/raw/J09JweeH

aes.plain

Targets

    • Target

      DeadPayload.exe

    • Size

      500KB

    • MD5

      e17572fbbaaf169d770ca00615cf6cc7

    • SHA1

      d24f1684ecbf1d3733a5d906e83169432997aa4c

    • SHA256

      8fc4d440c39b198722e1199f55abca65905b16a84f9df5538aacee5ffe621a47

    • SHA512

      eae7205a4be7b5eec23de08333183df63624c280d544389ad9a893e4dd80ff2890156a8ae3aa0d184c19d000ff345506b9b060963573a8f6a2e903644e6b6b09

    • SSDEEP

      12288:33DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sdzO:vkGTy

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks