Overview

overview

10

Static

static

10

test1ng.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test1ng.exe

  • Size

    54KB

  • Sample

    241109-l9yygasepp

  • MD5

    729590a97e2de28e11b26074aebdd72e

  • SHA1

    24a86696b9aea4b1eb5697be3859d91ef7d66b0c

  • SHA256

    ea605539db0de672c170b978aeca949933b6e3623cc25fb6a76a745d0049c259

  • SHA512

    2d4629696275e9fd33a3dd271c1445234b9560d89e48511d48d7e7105d0e2274a0e7310a9a7a5bba05b78e085256480960fe67dd3e9af1e814265033598e5f89

  • SSDEEP

    1536:uuPL6tJkjNe8U6Ksv/Ukb8nAh0zbOOAxY8Y:uuP+XkyIckbw7zbOOAO8Y

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

0.tcp.ap.ngrok.io:12725

Attributes
  • Install_directory

    %Public%

  • install_file

    hh.exe

Targets

    • Target

      test1ng.exe

    • Size

      54KB

    • MD5

      729590a97e2de28e11b26074aebdd72e

    • SHA1

      24a86696b9aea4b1eb5697be3859d91ef7d66b0c

    • SHA256

      ea605539db0de672c170b978aeca949933b6e3623cc25fb6a76a745d0049c259

    • SHA512

      2d4629696275e9fd33a3dd271c1445234b9560d89e48511d48d7e7105d0e2274a0e7310a9a7a5bba05b78e085256480960fe67dd3e9af1e814265033598e5f89

    • SSDEEP

      1536:uuPL6tJkjNe8U6Ksv/Ukb8nAh0zbOOAxY8Y:uuP+XkyIckbw7zbOOAO8Y

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks