General
-
Target
Official Nova Launcher Fixer.exe
-
Size
121KB
-
Sample
240704-ex92msthjq
-
MD5
11f6b755147b4ca6b441620c0ac39268
-
SHA1
c93ca611430e685572cbdd7b762633a91b0671ad
-
SHA256
d4edaa6438dadc7c0b82655a5fe3054ddcf2932f55a177a0f08919484f930796
-
SHA512
5465d1e5df7a0e34bab7c997a777b86ea447a3519ab993e65216b9dae54e6285ae50b953979736a87b748520ef502a3c6e513b0f4bcdf864addb9247caa1562b
-
SSDEEP
3072:paPSy6sZ7z/N7kvRS6s5nTsz4IwqJOSIHbBFiMa:tyXrNcNs5nTsyHHb6M
Malware Config
Extracted
xworm
5.0
oh-guaranteed.gl.at.ply.gg:41663
YBg0EdsYRj3uSC7X
-
Install_directory
%Userprofile%
-
install_file
System32.exe
Targets
-
-
Target
Official Nova Launcher Fixer.exe
-
Size
121KB
-
MD5
11f6b755147b4ca6b441620c0ac39268
-
SHA1
c93ca611430e685572cbdd7b762633a91b0671ad
-
SHA256
d4edaa6438dadc7c0b82655a5fe3054ddcf2932f55a177a0f08919484f930796
-
SHA512
5465d1e5df7a0e34bab7c997a777b86ea447a3519ab993e65216b9dae54e6285ae50b953979736a87b748520ef502a3c6e513b0f4bcdf864addb9247caa1562b
-
SSDEEP
3072:paPSy6sZ7z/N7kvRS6s5nTsz4IwqJOSIHbBFiMa:tyXrNcNs5nTsyHHb6M
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1