General
-
Target
0x0007000000016d42-20.dat
-
Size
75KB
-
Sample
241106-h4hgraykal
-
MD5
8d6e86e6e799c75bd5123534bdbf411b
-
SHA1
9fc526e97077ed2a5e78371fdab5ab7ecf789368
-
SHA256
7892c9f14967696e15b99b3eac66d65643357c9a4315f5e8210c8437c6617888
-
SHA512
8cd6e706c3f36d7cb1d6eed3717fd3e96863b6fcf4ee3425f7b08823b8dc364a1de215b578310a3d1fddd98f9eb648ddeafd85d8a2feed399d46fba7dba09265
-
SSDEEP
1536:2Z6tgBI11qoEgGBfCDYsN+bT0IrgLSUtmf6/rhtOs4eJ9SYUh:2Z1I11qoGBgYA+bgIEOe9htOs4eJjO
Malware Config
Extracted
xworm
45.145.41.178:1111
-
Install_directory
%AppData%
-
install_file
Windows Defender Notification.exe
Targets
-
-
Target
0x0007000000016d42-20.dat
-
Size
75KB
-
MD5
8d6e86e6e799c75bd5123534bdbf411b
-
SHA1
9fc526e97077ed2a5e78371fdab5ab7ecf789368
-
SHA256
7892c9f14967696e15b99b3eac66d65643357c9a4315f5e8210c8437c6617888
-
SHA512
8cd6e706c3f36d7cb1d6eed3717fd3e96863b6fcf4ee3425f7b08823b8dc364a1de215b578310a3d1fddd98f9eb648ddeafd85d8a2feed399d46fba7dba09265
-
SSDEEP
1536:2Z6tgBI11qoEgGBfCDYsN+bT0IrgLSUtmf6/rhtOs4eJ9SYUh:2Z1I11qoGBgYA+bgIEOe9htOs4eJjO
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1