General
-
Target
Ödeme Bildirimi1.exe
-
Size
1.0MB
-
Sample
240904-mprjbszcqa
-
MD5
11d08d39cc44ebf70c89dba399a05567
-
SHA1
288a8b969866e70f15a9e5b527bc44d0a55439d6
-
SHA256
6e7c573f8188ce9f7ae1309aff107961c5d822d92d9bd5e6c5dc247a68c255f5
-
SHA512
a4a6422285fe3ecd3d5d373a3bda09713cbd703261d067268f079ff2bac3cee417c10b2fdb5c2dba0ff7a583d13fb30735e48289aa15623fae93d86a0850e260
-
SSDEEP
12288:rGZKzvvWBKYvI8PmVx5OdwGGZr/1e4271YW/sFUD:XWOjv5fGsTW2W/sFUD
Malware Config
Extracted
xworm
3.1
taraji111.duckdns.org:31823
RFfb2ploDgN8rSit
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
Ödeme Bildirimi1.exe
-
Size
1.0MB
-
MD5
11d08d39cc44ebf70c89dba399a05567
-
SHA1
288a8b969866e70f15a9e5b527bc44d0a55439d6
-
SHA256
6e7c573f8188ce9f7ae1309aff107961c5d822d92d9bd5e6c5dc247a68c255f5
-
SHA512
a4a6422285fe3ecd3d5d373a3bda09713cbd703261d067268f079ff2bac3cee417c10b2fdb5c2dba0ff7a583d13fb30735e48289aa15623fae93d86a0850e260
-
SSDEEP
12288:rGZKzvvWBKYvI8PmVx5OdwGGZr/1e4271YW/sFUD:XWOjv5fGsTW2W/sFUD
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1