General
-
Target
XClient.exe
-
Size
40KB
-
Sample
241120-yb6xms1fmg
-
MD5
f3d8b96931d1aa9f0c31f92f2db6c903
-
SHA1
7aea8c37bb34cadef6ea87630c5b6c525cfad509
-
SHA256
7ec4beaf8109398c4951d73659beb02b290acc7c1cc9759624aeea2302a9279b
-
SHA512
2e7bf4813fbdf426115ee2f69523765b83aab30dba9d679adb90dceb040515872ae9ff9739e39e4294580557c542b0e2f21683596e3c6894871f6a484b99e082
-
SSDEEP
768:rIDwCrxY4mpc9i32v6hCuuJf27ZZfFWPG9/OQ6OOwhujGb8:cDwCFY4gckGwCuuJfKFv9/OQ6OOwoCY
Malware Config
Extracted
xworm
5.0
10.9.248.138:29647
bqj2YDk3d9XilFuu
-
Install_directory
%AppData%
-
install_file
$77MicrosoftDefender.exe
Targets
-
-
Target
XClient.exe
-
Size
40KB
-
MD5
f3d8b96931d1aa9f0c31f92f2db6c903
-
SHA1
7aea8c37bb34cadef6ea87630c5b6c525cfad509
-
SHA256
7ec4beaf8109398c4951d73659beb02b290acc7c1cc9759624aeea2302a9279b
-
SHA512
2e7bf4813fbdf426115ee2f69523765b83aab30dba9d679adb90dceb040515872ae9ff9739e39e4294580557c542b0e2f21683596e3c6894871f6a484b99e082
-
SSDEEP
768:rIDwCrxY4mpc9i32v6hCuuJf27ZZfFWPG9/OQ6OOwhujGb8:cDwCFY4gckGwCuuJfKFv9/OQ6OOwoCY
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1