Overview

overview

10

Static

static

10

perms.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    perms.exe

  • Size

    83KB

  • Sample

    250118-x685ta1qhx

  • MD5

    4dd41e9e888d7c43e6c059e8fde0cfc0

  • SHA1

    b9b1685970a2342714f36b92c76e9eef725b0c45

  • SHA256

    7f0d106861eafe0f0f4dd241fc574f7b329543a854fd876d5fa92f136829e1f6

  • SHA512

    74433bc06be96f399dcc65d4a8be48cd1934199cd7a03d4d49a61833a462c0c5113312033bf7776404f5027aa9d901093f29ef7249380f46c73f4d5d5e84a897

  • SSDEEP

    1536:q/S3A8Y2yo0xwOZ+++3YXbcG/eQ0726v3Ok+WJCo1V8G0:q/uBGo34bjmX7n3OPWMo12

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

trip-thesaurus.gl.at.ply.gg:16715

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      perms.exe

    • Size

      83KB

    • MD5

      4dd41e9e888d7c43e6c059e8fde0cfc0

    • SHA1

      b9b1685970a2342714f36b92c76e9eef725b0c45

    • SHA256

      7f0d106861eafe0f0f4dd241fc574f7b329543a854fd876d5fa92f136829e1f6

    • SHA512

      74433bc06be96f399dcc65d4a8be48cd1934199cd7a03d4d49a61833a462c0c5113312033bf7776404f5027aa9d901093f29ef7249380f46c73f4d5d5e84a897

    • SSDEEP

      1536:q/S3A8Y2yo0xwOZ+++3YXbcG/eQ0726v3Ok+WJCo1V8G0:q/uBGo34bjmX7n3OPWMo12

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks