General
-
Target
BootstrapperNew.exe
-
Size
2.9MB
-
Sample
250305-qgvgsszlt2
-
MD5
2326d97462601f0bf84459a19a23a307
-
SHA1
b6d153b9984ad82202997707fe5e4fd135d3afb6
-
SHA256
03cc93bdaefa6e5db157062dd90b796ff6a8f2f172e3be278e604ba9808f9ce4
-
SHA512
fccf56201ca30da42c15d769a1af38d87f8bdc0562327096893e81738ad7a4a7e3c00cb425144e1ffa10d9e0e0f39fdd7e5287f74f88e4aa971aa3cc3e988568
-
SSDEEP
49152:fCPqFzmYUMGs67ueIJdjo+fR60CqtZ4HdBJqlCmir3C7uXwonp1UECFgBT:f/DXVAu/kE69HHdB8lnirSSJqE+gT
Malware Config
Extracted
https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe
https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat
Extracted
xworm
-
Install_directory
%port%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/J42c6s7r
Targets
-
-
Target
BootstrapperNew.exe
-
Size
2.9MB
-
MD5
2326d97462601f0bf84459a19a23a307
-
SHA1
b6d153b9984ad82202997707fe5e4fd135d3afb6
-
SHA256
03cc93bdaefa6e5db157062dd90b796ff6a8f2f172e3be278e604ba9808f9ce4
-
SHA512
fccf56201ca30da42c15d769a1af38d87f8bdc0562327096893e81738ad7a4a7e3c00cb425144e1ffa10d9e0e0f39fdd7e5287f74f88e4aa971aa3cc3e988568
-
SSDEEP
49152:fCPqFzmYUMGs67ueIJdjo+fR60CqtZ4HdBJqlCmir3C7uXwonp1UECFgBT:f/DXVAu/kE69HHdB8lnirSSJqE+gT
Score10/10-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1Clear Windows Event Logs
1Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1