General
-
Target
dll (1).exe
-
Size
1.8MB
-
Sample
240630-b6me6avhjr
-
MD5
2d8725f268c90475c94941e550019cf9
-
SHA1
c51ed1a97e71cbdfb7712f7fbe2251553f1054b7
-
SHA256
8f619c4d07c848855b27863e887f95f7307ae2d46f64c661ca17a2d96798a2af
-
SHA512
4998e8bf9e33f31e895783e31185fd678c368e3eb3b524b65ff1d988f0395cdd8d7a1aa6776d89b1f284656f2e6c97b848d8e909c167b52932a1d83382e57bb1
-
SSDEEP
49152:d78cpUcrJCoHjuFnBPn20DRt8HcWynnBvIyn+inbT:d78cpUcrJC2q9BPjo8WyBv1n+in
Static task
static1
Behavioral task
behavioral1
Sample
dll (1).exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
dll (1).exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
127.0.0.1:35472
haxxy999-35472.portmap.host:35472
-
Install_directory
%Temp%
-
install_file
svchost.exe
Targets
-
-
Target
dll (1).exe
-
Size
1.8MB
-
MD5
2d8725f268c90475c94941e550019cf9
-
SHA1
c51ed1a97e71cbdfb7712f7fbe2251553f1054b7
-
SHA256
8f619c4d07c848855b27863e887f95f7307ae2d46f64c661ca17a2d96798a2af
-
SHA512
4998e8bf9e33f31e895783e31185fd678c368e3eb3b524b65ff1d988f0395cdd8d7a1aa6776d89b1f284656f2e6c97b848d8e909c167b52932a1d83382e57bb1
-
SSDEEP
49152:d78cpUcrJCoHjuFnBPn20DRt8HcWynnBvIyn+inbT:d78cpUcrJC2q9BPjo8WyBv1n+in
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1