General
-
Target
sesh.exe
-
Size
85KB
-
Sample
240629-3b38zaygmg
-
MD5
eb2fdf65f05738084eafbffafd050f96
-
SHA1
94b744a2552451b2b5dcadce71a31b9826ecba96
-
SHA256
39497d1f152da58a2c2d8970b05f795b05a6607c50a86c058d418985ed4a264e
-
SHA512
7bf9ab33f7b5e4fde676a6ab27a9aff918bfefc8f5defd3442c03cdf59c4d61a7af9103e877643f92839fb42316c5319b5972bc7317b51354162a1f4b53eb157
-
SSDEEP
1536:KT1xavSIvbf6DC2BY3cebMXC9GjBVUF06ppMQvO+1DkdQr:CVIzaBYMebMaGla5pVvOuDVr
Behavioral task
behavioral1
Sample
sesh.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
xworm
127.0.0.1:33823
Azuu-57677.portmap.io:33823
remember-sail.gl.at.ply.gg::33823
-
Install_directory
%Temp%
-
install_file
svchost.exe
Targets
-
-
Target
sesh.exe
-
Size
85KB
-
MD5
eb2fdf65f05738084eafbffafd050f96
-
SHA1
94b744a2552451b2b5dcadce71a31b9826ecba96
-
SHA256
39497d1f152da58a2c2d8970b05f795b05a6607c50a86c058d418985ed4a264e
-
SHA512
7bf9ab33f7b5e4fde676a6ab27a9aff918bfefc8f5defd3442c03cdf59c4d61a7af9103e877643f92839fb42316c5319b5972bc7317b51354162a1f4b53eb157
-
SSDEEP
1536:KT1xavSIvbf6DC2BY3cebMXC9GjBVUF06ppMQvO+1DkdQr:CVIzaBYMebMaGla5pVvOuDVr
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1