General

  • Target

    7483ef61b4a08402fda1ad7ff1f94ea0_NeikiAnalytics.exe

  • Size

    315KB

  • Sample

    240525-vv9absbf8s

  • MD5

    7483ef61b4a08402fda1ad7ff1f94ea0

  • SHA1

    e71900c7015b7f076fd37ffa918878d33cef0540

  • SHA256

    cac0d8139a09afbed8d9b0fcb8d1a07c186b16f8a0ae6967bfc75f1eccf6c74d

  • SHA512

    6ad6598f5b90fbecf40657e3ba42c9e853bced982f25618bd2368626485725d79c393b9254fb8b1377fd69ee6a6dadfa610a564181794c0176b9fb9a3d05d070

  • SSDEEP

    6144:ueijhSohGqnYtFcOMHggh+8aCxGpZiC63AEwpGWKKdtm8EH:uzhSdqnYrl++8aCcpJkCFEH

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    Discord Update.exe

  • pastebin_url

    https://pastebin.com/raw/2NqG5N7L

Targets

    • Target

      7483ef61b4a08402fda1ad7ff1f94ea0_NeikiAnalytics.exe

    • Size

      315KB

    • MD5

      7483ef61b4a08402fda1ad7ff1f94ea0

    • SHA1

      e71900c7015b7f076fd37ffa918878d33cef0540

    • SHA256

      cac0d8139a09afbed8d9b0fcb8d1a07c186b16f8a0ae6967bfc75f1eccf6c74d

    • SHA512

      6ad6598f5b90fbecf40657e3ba42c9e853bced982f25618bd2368626485725d79c393b9254fb8b1377fd69ee6a6dadfa610a564181794c0176b9fb9a3d05d070

    • SSDEEP

      6144:ueijhSohGqnYtFcOMHggh+8aCxGpZiC63AEwpGWKKdtm8EH:uzhSdqnYrl++8aCcpJkCFEH

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks