General

  • Target

    skibidi uac temp.bat

  • Size

    762B

  • Sample

    240812-28pleawepq

  • MD5

    2a6867bc5bf2aa120ded0f3e5e3aaffd

  • SHA1

    572489979b0cd08bf6b962c4c9654aa2c8fe7f6e

  • SHA256

    353ce41096bfc4a123151d6876cf0a64838d0805f69a91f2008061433a84bf60

  • SHA512

    a67c6bc2236f7ddc194fb2c1bd99c1ae31d87dcf3daeaa38169e60acb369b4d9594dd4423ae1e5f75e586da24346a522754934a803cc62bb13f18dca96b4bbb5

Malware Config

Extracted

Family

xworm

Version

5.0

C2

dating-mpegs.gl.at.ply.gg:6566

Mutex

hzlnv0DUzbSPOIAL

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Uni.exe

aes.plain

Targets

    • Target

      skibidi uac temp.bat

    • Size

      762B

    • MD5

      2a6867bc5bf2aa120ded0f3e5e3aaffd

    • SHA1

      572489979b0cd08bf6b962c4c9654aa2c8fe7f6e

    • SHA256

      353ce41096bfc4a123151d6876cf0a64838d0805f69a91f2008061433a84bf60

    • SHA512

      a67c6bc2236f7ddc194fb2c1bd99c1ae31d87dcf3daeaa38169e60acb369b4d9594dd4423ae1e5f75e586da24346a522754934a803cc62bb13f18dca96b4bbb5

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Download via BitsAdmin

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

MITRE ATT&CK Enterprise v15

Tasks