General
-
Target
xplor.bat
-
Size
67KB
-
Sample
240630-dmzmgsshnd
-
MD5
e73ebec54986581fbbd93963e1fbf6b1
-
SHA1
2981273cb4df5c03e997f25ca217a1368e9e0635
-
SHA256
e7551b81392e6e047d087d496b8a26443cb83074a1f93a448e207bdc81d0487a
-
SHA512
b1a1bc06b9ca737d4b3feb78d7e97e42ede7b8df81e48bab0354419bd65a143438154e6e68a2d8a061a21ecc4d41e6fc7730699b822d2c9dc646198f1158801b
-
SSDEEP
48:+HEIFOhNg8Mh0vULQyDzPMdFijnH6HCRYglCtiJOTOTOTOTOTOTOTOTOTOTOTOTt:+HEIFOhS8S0OQyZrH6viyKCCFX
Static task
static1
Behavioral task
behavioral1
Sample
xplor.bat
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
xplor.bat
Resource
win11-20240611-en
Malware Config
Extracted
xworm
193.161.193.99:46625
-
Install_directory
%AppData%
-
install_file
Teams.exe
-
telegram
https://api.telegram.org/bot7251026627:AAFe7iqGz4Cd2IluTlmdghq0XQUzAYL6FpY
Targets
-
-
Target
xplor.bat
-
Size
67KB
-
MD5
e73ebec54986581fbbd93963e1fbf6b1
-
SHA1
2981273cb4df5c03e997f25ca217a1368e9e0635
-
SHA256
e7551b81392e6e047d087d496b8a26443cb83074a1f93a448e207bdc81d0487a
-
SHA512
b1a1bc06b9ca737d4b3feb78d7e97e42ede7b8df81e48bab0354419bd65a143438154e6e68a2d8a061a21ecc4d41e6fc7730699b822d2c9dc646198f1158801b
-
SSDEEP
48:+HEIFOhNg8Mh0vULQyDzPMdFijnH6HCRYglCtiJOTOTOTOTOTOTOTOTOTOTOTOTt:+HEIFOhS8S0OQyZrH6viyKCCFX
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1