General

  • Target

    file.exe

  • Size

    1.0MB

  • Sample

    241111-z3ah7azmcr

  • MD5

    bf265e0055178b2aa642fc6df2ae5f40

  • SHA1

    f692cbf19ecf33a48ddefa2b615ea979fa5633b4

  • SHA256

    9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642

  • SHA512

    c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d

  • SSDEEP

    12288:BCQdkpj9XCQR9Fo+lSEr/CAcHqpxr0H8totz8LfAz1uviBCGG4HgoKQJZNL:BVdujt9pAE0+rMN8LYzcyTAqJZNL

Malware Config

Targets

    • Target

      file.exe

    • Size

      1.0MB

    • MD5

      bf265e0055178b2aa642fc6df2ae5f40

    • SHA1

      f692cbf19ecf33a48ddefa2b615ea979fa5633b4

    • SHA256

      9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642

    • SHA512

      c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d

    • SSDEEP

      12288:BCQdkpj9XCQR9Fo+lSEr/CAcHqpxr0H8totz8LfAz1uviBCGG4HgoKQJZNL:BVdujt9pAE0+rMN8LYzcyTAqJZNL

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks