Overview

overview

10

Static

static

1

add.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    add.bat

  • Size

    2KB

  • Sample

    241029-lyg6ksvajf

  • MD5

    ddae753de5a27f0a02e0da8610e1b8d5

  • SHA1

    fac2504ef6dfba664468bbed911e9e517c322b6d

  • SHA256

    f7e2458457263888bf48e46d57f0e7ed4d451f305229b902052989de583bda65

  • SHA512

    fdaa43e1ed8ab64605cb35cb4d792f8a56029aaf2d322f38c9297103add573fe84020fe51a91796c47fa3d4b1e108e4735ad4e2491a8a4321a7adc21b48f806d

Score
10/10
xwormdiscoveryexecutionexploitrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    winlogon.exe

  • pastebin_url

    https://pastebin.com/raw/QUwdrCNg

Targets

    • Target

      add.bat

    • Size

      2KB

    • MD5

      ddae753de5a27f0a02e0da8610e1b8d5

    • SHA1

      fac2504ef6dfba664468bbed911e9e517c322b6d

    • SHA256

      f7e2458457263888bf48e46d57f0e7ed4d451f305229b902052989de583bda65

    • SHA512

      fdaa43e1ed8ab64605cb35cb4d792f8a56029aaf2d322f38c9297103add573fe84020fe51a91796c47fa3d4b1e108e4735ad4e2491a8a4321a7adc21b48f806d

    Score
    10/10
    xwormdiscoveryexecutionexploitrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks