General
-
Target
WaveInstaller.exe
-
Size
1.9MB
-
Sample
240629-1t4aks1apq
-
MD5
8acc2471bf70322449538205a32df476
-
SHA1
9b4c7e5b3596fdda88c6c88e6583e334b091efee
-
SHA256
2f12fab2f1220150e032580b9b87bd48d4cb837b5030ad36f944769b5d2171ef
-
SHA512
27f5b8beb9deef86037fea7e96a3f9604aceed9210976b4b20184bd4a3d78e0ffce863665a8ece217912f0fe28014f973a61253bd6615cb7fc62bac45fb7529a
-
SSDEEP
49152:6OidmNFJKjfGathkBss9NBZUtcASYmvuHp9Tjx2inbT:XomNFJ6LthkOu9ASYmuHpuin
Static task
static1
Behavioral task
behavioral1
Sample
WaveInstaller.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
xworm
127.0.0.1:446
Azuu-57677.portmap.io:446
-
Install_directory
%Temp%
-
install_file
svchost.exe
Targets
-
-
Target
WaveInstaller.exe
-
Size
1.9MB
-
MD5
8acc2471bf70322449538205a32df476
-
SHA1
9b4c7e5b3596fdda88c6c88e6583e334b091efee
-
SHA256
2f12fab2f1220150e032580b9b87bd48d4cb837b5030ad36f944769b5d2171ef
-
SHA512
27f5b8beb9deef86037fea7e96a3f9604aceed9210976b4b20184bd4a3d78e0ffce863665a8ece217912f0fe28014f973a61253bd6615cb7fc62bac45fb7529a
-
SSDEEP
49152:6OidmNFJKjfGathkBss9NBZUtcASYmvuHp9Tjx2inbT:XomNFJ6LthkOu9ASYmuHpuin
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1