General
-
Target
30f3b017aba427f666ed345ff58f5e3e3c3f87bb1426eebcad87bdc2d41c304d_NeikiAnalytics.exe
-
Size
32KB
-
Sample
240628-3f9ljsyarn
-
MD5
849c0b5d58bd4d064ff1d30dc994d0c0
-
SHA1
b5743540fe9d16abbd1b75f9511e4c1aee268c79
-
SHA256
30f3b017aba427f666ed345ff58f5e3e3c3f87bb1426eebcad87bdc2d41c304d
-
SHA512
c9148073ee163466b25dae7c75bb9c17fab998b14d6642f9b5175befbd4a600bbe296be1e3cfddc707e07c680893b0daed05abd11fe908ee0d6bf7978aea5f81
-
SSDEEP
768:dNaQKEpNXUdpVDfl9s0PZFh93bO/hS/h+g:dYvoN6rs0RFh93bO/Y8g
Malware Config
Extracted
xworm
3.0
limited-architect.gl.at.ply.gg:52522
uJhcL2ZZTFJqWA9Z
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
30f3b017aba427f666ed345ff58f5e3e3c3f87bb1426eebcad87bdc2d41c304d_NeikiAnalytics.exe
-
Size
32KB
-
MD5
849c0b5d58bd4d064ff1d30dc994d0c0
-
SHA1
b5743540fe9d16abbd1b75f9511e4c1aee268c79
-
SHA256
30f3b017aba427f666ed345ff58f5e3e3c3f87bb1426eebcad87bdc2d41c304d
-
SHA512
c9148073ee163466b25dae7c75bb9c17fab998b14d6642f9b5175befbd4a600bbe296be1e3cfddc707e07c680893b0daed05abd11fe908ee0d6bf7978aea5f81
-
SSDEEP
768:dNaQKEpNXUdpVDfl9s0PZFh93bO/hS/h+g:dYvoN6rs0RFh93bO/Y8g
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1