General
-
Target
dacc84ed6f53885ec89a45ffb68546d8fd819b303c04e9aabef23b06cb39488b
-
Size
523KB
-
Sample
250219-1w7e1ssjt9
-
MD5
2ec12fcfa9d9349119fa52d037902c36
-
SHA1
29486b201215eb5216692589cc535b965b46af2d
-
SHA256
dacc84ed6f53885ec89a45ffb68546d8fd819b303c04e9aabef23b06cb39488b
-
SHA512
74ea50ce1e376993b9ff8f6a5eb25c36fb07ab271c4343151070d9e3cd03cca749cc1beb1956a5cf47733f491d868febc1cc4bd230fc13b7e0b94915016413da
-
SSDEEP
12288:sMY3jdyMSUXHpH3AUQIqhRytUzxxAg1J2u2u:rgxyMFw6cNzvAgTUu
Static task
static1
Behavioral task
behavioral1
Sample
CAPP.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
176.96.137.181:1111
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
CAPP.exe
-
Size
941KB
-
MD5
633efdf80797b397168e41e22ceb3985
-
SHA1
046f318b78c9434c5a78af5c0a8389c84e864e7e
-
SHA256
97006d08b4e8eebfc2d9f2d52719ee2ecf045ca4275033288677403f43fec7cf
-
SHA512
16927f3d4301c0fb72ef91f47da52fc4e34997c8aabf20ae3685d4612e806d1cb99ba4adabb6a234bc103421f23d62f32f3ce8b1bba11318c495b806f489c8c9
-
SSDEEP
24576:Ru6J33O0c+JY5UZ+XC0kGso6FacSpneWY:Du0c++OCvkGs9FacSjY
-
Detect Xworm Payload
-
Xenarmor family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1