General

  • Target

    58f0f20d63b8f2ef1aade3d942c3894e8bad3b4c228e815b4e72e744e85dbb1e_NeikiAnalytics.exe

  • Size

    456KB

  • Sample

    240621-k1qp3ateqb

  • MD5

    dee5e10e631204225e81fcbcb45fb5c0

  • SHA1

    6f68b44e2c75b7ed05f5c6b0641b1fc2a34031ce

  • SHA256

    58f0f20d63b8f2ef1aade3d942c3894e8bad3b4c228e815b4e72e744e85dbb1e

  • SHA512

    a31345bafda8fe917e3d8797b2c106b1833ae1bc0a36e5d5c78cc5b3df55677b93033a5d7ad32e2e6968a984d61db38e5be9aa0a1b499d79086dcd94c3a07b38

  • SSDEEP

    12288:hy903qOf5K+udWQH2uDuxPVT6c1uiWA5UqLRx+:hyIqL+udWHXx9umCAUq0

Malware Config

Extracted

Family

xworm

Version

5.0

C2

skibidi.one:2709

91.92.250.4:2709

Mutex

S3gZoltSWKOZChhU

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      58f0f20d63b8f2ef1aade3d942c3894e8bad3b4c228e815b4e72e744e85dbb1e_NeikiAnalytics.exe

    • Size

      456KB

    • MD5

      dee5e10e631204225e81fcbcb45fb5c0

    • SHA1

      6f68b44e2c75b7ed05f5c6b0641b1fc2a34031ce

    • SHA256

      58f0f20d63b8f2ef1aade3d942c3894e8bad3b4c228e815b4e72e744e85dbb1e

    • SHA512

      a31345bafda8fe917e3d8797b2c106b1833ae1bc0a36e5d5c78cc5b3df55677b93033a5d7ad32e2e6968a984d61db38e5be9aa0a1b499d79086dcd94c3a07b38

    • SSDEEP

      12288:hy903qOf5K+udWQH2uDuxPVT6c1uiWA5UqLRx+:hyIqL+udWHXx9umCAUq0

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks