General
-
Target
BootstrapperNew.exe
-
Size
2.9MB
-
Sample
250304-1ffx5a1xcy
-
MD5
252177d06315973a76fdaaca7caa5143
-
SHA1
8af1e7c8eee8e0f89dacffffea3725a51f4804e9
-
SHA256
4ec13f5a477ff33e2c1ef8b67496c4dd074461649b97f559182e6d706b72e7ee
-
SHA512
bda36550ea73ec17f6fc24461ce117edaf1e112fcbead63f61fd8a15076c1178fa33fea485304b6d03b0f19243663bc68cda89d4a2001a0f475ec780c83f804e
-
SSDEEP
49152:x9FDefja16jgYFYYl+YKJIPFPAa8+gXhclErIG5s1+O4jGSuZV/dcz/ThhHmlUO5:lef+16jh9nuQAncl+Iic+36/dc3XGuOd
Malware Config
Extracted
https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe
https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat
Extracted
xworm
-
Install_directory
%port%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/GMv8QPCE
Targets
-
-
Target
BootstrapperNew.exe
-
Size
2.9MB
-
MD5
252177d06315973a76fdaaca7caa5143
-
SHA1
8af1e7c8eee8e0f89dacffffea3725a51f4804e9
-
SHA256
4ec13f5a477ff33e2c1ef8b67496c4dd074461649b97f559182e6d706b72e7ee
-
SHA512
bda36550ea73ec17f6fc24461ce117edaf1e112fcbead63f61fd8a15076c1178fa33fea485304b6d03b0f19243663bc68cda89d4a2001a0f475ec780c83f804e
-
SSDEEP
49152:x9FDefja16jgYFYYl+YKJIPFPAa8+gXhclErIG5s1+O4jGSuZV/dcz/ThhHmlUO5:lef+16jh9nuQAncl+Iic+36/dc3XGuOd
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Modifies Windows Defender Real-time Protection settings
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1