General
-
Target
CRACK DELTA.rar
-
Size
25.1MB
-
Sample
250308-q2el3sxrv8
-
MD5
4be7689267ec1601a777d7a8c2432cb2
-
SHA1
9daba79d622aa40a3ab0112144bf9ee11c15c6a4
-
SHA256
c342812f3b7676faa3b7c3eec7f50a6c9f0d03344b46ea3f8a9dd24aa4dd81d0
-
SHA512
23333738d46ce9dcaad9f06363d8b26ec7c2433c4e9bd4f0e4400afb8e0ccca21645da9b6fc10832310e44a7c41348ce6a00c6d9821853e5ff9bfb151fa502ba
-
SSDEEP
786432:QSOhbvU6WHlCjsNhdsnGiJv89lCnMWQj1iZpvC:zOhbvUpFNoGiJv8mnvC
Malware Config
Extracted
xworm
step-yr.gl.at.ply.gg:30565
-
Install_directory
%Public%
-
install_file
USB.exe
Targets
-
-
Target
CRACK DELTA.rar
-
Size
25.1MB
-
MD5
4be7689267ec1601a777d7a8c2432cb2
-
SHA1
9daba79d622aa40a3ab0112144bf9ee11c15c6a4
-
SHA256
c342812f3b7676faa3b7c3eec7f50a6c9f0d03344b46ea3f8a9dd24aa4dd81d0
-
SHA512
23333738d46ce9dcaad9f06363d8b26ec7c2433c4e9bd4f0e4400afb8e0ccca21645da9b6fc10832310e44a7c41348ce6a00c6d9821853e5ff9bfb151fa502ba
-
SSDEEP
786432:QSOhbvU6WHlCjsNhdsnGiJv89lCnMWQj1iZpvC:zOhbvUpFNoGiJv8mnvC
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1