General
-
Target
https://cdn.discordapp.com/attachments/1255165018316476447/1256670577914019840/Sound_Pad.zip?ex=66819d2d&is=66804bad&hm=93135ad7fccbd86b85570460f64d7010bf3ff4628ed6c2ef924b655bc39fa3a7&
-
Sample
240629-wq65vaseqb
Malware Config
Extracted
xworm
5.0
might-hk.gl.at.ply.gg:42295
07x0yTqR2FSkwbSm
-
Install_directory
%ProgramData%
-
install_file
systemprocess.exe
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1255165018316476447/1256670577914019840/Sound_Pad.zip?ex=66819d2d&is=66804bad&hm=93135ad7fccbd86b85570460f64d7010bf3ff4628ed6c2ef924b655bc39fa3a7&
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1