General
-
Target
cmd.exe
-
Size
223KB
-
Sample
240801-1cldfawhpl
-
MD5
12982ac83ad56a6498cb35ac809a372d
-
SHA1
3f1d1b2ec2d8a66b5f34ca52bddf92f095ecbe1e
-
SHA256
b708ee49186388dc9f334877985ee25c2ade79aca53c710dad8ee458c2dd4e40
-
SHA512
93eb087005e04ae00fa4e50d45bded5f7867edb0d3b1a59bf912ec7c0a8d3eb9a8695c6fb97c6d4c2baf54323916456625e228ecfff42327c4083a037ff6749e
-
SSDEEP
3072:59nbq6SB3q+8BpxITV1nr/6ENVvncMxBJEHBAnpK37nX7880u5Q1tEPsY74tyJh1:e8BIHnr/6wtVx+8ecEPHE9o1r/Z
Malware Config
Extracted
xworm
5.0
pIY7szY7mQ1Jy6Fv
-
Install_directory
%Temp%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/AsXpMYtv
Targets
-
-
Target
cmd.exe
-
Size
223KB
-
MD5
12982ac83ad56a6498cb35ac809a372d
-
SHA1
3f1d1b2ec2d8a66b5f34ca52bddf92f095ecbe1e
-
SHA256
b708ee49186388dc9f334877985ee25c2ade79aca53c710dad8ee458c2dd4e40
-
SHA512
93eb087005e04ae00fa4e50d45bded5f7867edb0d3b1a59bf912ec7c0a8d3eb9a8695c6fb97c6d4c2baf54323916456625e228ecfff42327c4083a037ff6749e
-
SSDEEP
3072:59nbq6SB3q+8BpxITV1nr/6ENVvncMxBJEHBAnpK37nX7880u5Q1tEPsY74tyJh1:e8BIHnr/6wtVx+8ecEPHE9o1r/Z
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1