General
-
Target
B4VVtERhIuUi.reg
-
Size
67KB
-
Sample
241104-zcgvkswhme
-
MD5
f0e94218233968b75d2ddb2040dc6617
-
SHA1
4f0e5778a92de896a753d924085e163130fb5584
-
SHA256
8f0700c47b590a8072cc4e12e3016788b678ffffbddb87883646697b39337074
-
SHA512
da863d750ae25545d6ff7f2dfbc78cc971d6332f14571da47cf88ab7a36ce60ce52f7c786420e322ffbd006d96b400339f3b9a6e0aa7c49c6f84855bd6180b0b
-
SSDEEP
1536:D4g540DoR+MQRxYvgUV/AV18G84p1V2ktjiEmpKXS4D18WsPHDqRO:DXmE0vPmMjkwpKpjsPHDqRO
Malware Config
Extracted
xworm
5.0
127.0.0.1:2024
IPatGZ2f5mZd3uic
-
install_file
USB.exe
Targets
-
-
Target
B4VVtERhIuUi.reg
-
Size
67KB
-
MD5
f0e94218233968b75d2ddb2040dc6617
-
SHA1
4f0e5778a92de896a753d924085e163130fb5584
-
SHA256
8f0700c47b590a8072cc4e12e3016788b678ffffbddb87883646697b39337074
-
SHA512
da863d750ae25545d6ff7f2dfbc78cc971d6332f14571da47cf88ab7a36ce60ce52f7c786420e322ffbd006d96b400339f3b9a6e0aa7c49c6f84855bd6180b0b
-
SSDEEP
1536:D4g540DoR+MQRxYvgUV/AV18G84p1V2ktjiEmpKXS4D18WsPHDqRO:DXmE0vPmMjkwpKpjsPHDqRO
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
System Binary Proxy Execution: Regsvcs/Regasm
Abuse Regasm to proxy execution of malicious code.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1System Binary Proxy Execution
1Regsvcs/Regasm
1