General

  • Target

    SecurityHealthService.exe

  • Size

    444KB

  • Sample

    241113-mkc55stkhm

  • MD5

    73c088a54fd675be63ae50e1415bce9b

  • SHA1

    968ca108ce1d803f69cc3e1833d6d56615342169

  • SHA256

    e9cb28657a6dcd7e0f17f6e4f7d128351c389784bb027fdaba7f669794edc846

  • SHA512

    109d80075631fae4a952b972073677aafdb8b6c70d7e6ac1add6d6bfb5bee9a5227c3691d229a70ac67b993f37464b89efaf87b62f6646b135311e04419f9c09

  • SSDEEP

    6144:IhuPcWqUsvDuKolyqL1eLBXziQZm07wGj386cDrWTAdjiutNNStXL297RDc+BwZI:IMyUsbuKwmFifywGWBPNStyxRDc+S

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

QTumvC8IOVGR3m18

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/nV1XKCv3

aes.plain

Targets

    • Target

      SecurityHealthService.exe

    • Size

      444KB

    • MD5

      73c088a54fd675be63ae50e1415bce9b

    • SHA1

      968ca108ce1d803f69cc3e1833d6d56615342169

    • SHA256

      e9cb28657a6dcd7e0f17f6e4f7d128351c389784bb027fdaba7f669794edc846

    • SHA512

      109d80075631fae4a952b972073677aafdb8b6c70d7e6ac1add6d6bfb5bee9a5227c3691d229a70ac67b993f37464b89efaf87b62f6646b135311e04419f9c09

    • SSDEEP

      6144:IhuPcWqUsvDuKolyqL1eLBXziQZm07wGj386cDrWTAdjiutNNStXL297RDc+BwZI:IMyUsbuKwmFifywGWBPNStyxRDc+S

    • Detect Xworm Payload

    • Modifies WinLogon for persistence

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks