Overview

overview

10

Static

static

1

add - Copy.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    add - Copy.bat

  • Size

    2KB

  • Sample

    241028-yvcg5stpet

  • MD5

    b0a25d37a30b97113aec21a6a19ef7f3

  • SHA1

    5ea49f9b019627c3d2b41e9ce87dd02124d76871

  • SHA256

    fd8a9fd65b129f90d536bd7c48896736096f1164111f98649c18978d7f58847c

  • SHA512

    a2017046b90b5c8a0c27184ff63a41b77e7a3231e47fd18dc9538ac022d078ed12420996e356fa11258447089aee3c28931568e19cc233d3060b9cbbbcaed711

Score
10/10
xwormdiscoveryexecutionexploitrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    winlogon.exe

  • pastebin_url

    https://pastebin.com/raw/QUwdrCNg

Targets

    • Target

      add - Copy.bat

    • Size

      2KB

    • MD5

      b0a25d37a30b97113aec21a6a19ef7f3

    • SHA1

      5ea49f9b019627c3d2b41e9ce87dd02124d76871

    • SHA256

      fd8a9fd65b129f90d536bd7c48896736096f1164111f98649c18978d7f58847c

    • SHA512

      a2017046b90b5c8a0c27184ff63a41b77e7a3231e47fd18dc9538ac022d078ed12420996e356fa11258447089aee3c28931568e19cc233d3060b9cbbbcaed711

    Score
    10/10
    xwormdiscoveryexecutionexploitrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks