General
-
Target
https://gamejolt.com/games/Station-17/945765
-
Sample
250303-hwtvta1px6
Score
10/10
Malware Config
Extracted
Family
xworm
C2
king-recruiting.gl.at.ply.gg:6182
Attributes
-
Install_directory
%ProgramData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7856884927:AAG6kZGLpszPeQUtFedd02qh_J_SKDZZfSI/sendMessage?chat_id=7075619698
Targets
-
-
Target
https://gamejolt.com/games/Station-17/945765
Score10/10-
Detect Xworm Payload
-
UAC bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1