General
-
Target
54335453425234.exe
-
Size
57KB
-
Sample
240503-vz54gaef96
-
MD5
3db6691099ca8a85cb08e68dc8eed38a
-
SHA1
9592497a91fd06c82e0082c61ebff8688b4932dc
-
SHA256
002a55a722eb437d66039df4b8e16b32baa59ba4f3a180c0d5a0514e01dc7377
-
SHA512
ba0778c135da545a10cfeea230263493d2339e19b61d2a9a2db93f805a620a79381c2d6be82ee1ff199b4bb490013e624b2d68e937966615c6ea64a67c6cb60e
-
SSDEEP
1536:JiNNpIaOeW6fBnwL36ZOR8Rngkb/kiqnLx3oXyDmOJHLFu/:MNNpzW6fBwL6/gkb/O6lOJk/
Behavioral task
behavioral1
Sample
54335453425234.exe
Resource
win11-20240419-en
Malware Config
Extracted
xworm
0.tcp.eu.ngrok.io:15487
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
54335453425234.exe
-
Size
57KB
-
MD5
3db6691099ca8a85cb08e68dc8eed38a
-
SHA1
9592497a91fd06c82e0082c61ebff8688b4932dc
-
SHA256
002a55a722eb437d66039df4b8e16b32baa59ba4f3a180c0d5a0514e01dc7377
-
SHA512
ba0778c135da545a10cfeea230263493d2339e19b61d2a9a2db93f805a620a79381c2d6be82ee1ff199b4bb490013e624b2d68e937966615c6ea64a67c6cb60e
-
SSDEEP
1536:JiNNpIaOeW6fBnwL36ZOR8Rngkb/kiqnLx3oXyDmOJHLFu/:MNNpzW6fBwL6/gkb/O6lOJk/
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
1Disable or Modify System Firewall
1Modify Registry
5