General
-
Target
XClient.exe
-
Size
61KB
-
Sample
240630-g6g4bsxgjl
-
MD5
d537ba1b5dfd28d617d98452caadf449
-
SHA1
6cb1d669d2a10153e42ac33c7bd2fc8521ec7065
-
SHA256
a2e9485cb6b0018d079a1956dc8a073393c75ee0eca1ebed1fcdaff21b076d2e
-
SHA512
b0032aba438a0e8704ba6bb7f14e329464a4b09b3d4e6d8dc3ce96a8e70a21312faa407dddf092753234928e3de263a242ec45108f5a48a7d4f04695a9fcde2c
-
SSDEEP
1536:QrgMsFzvH+u9GeCdg/vzb2xsK/WS6zAEzO5sK:QrD8vHFSWzb26FAEzO5sK
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
Malware Config
Extracted
xworm
Ironthing-22901.portmap.host:22901
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
XClient.exe
-
Size
61KB
-
MD5
d537ba1b5dfd28d617d98452caadf449
-
SHA1
6cb1d669d2a10153e42ac33c7bd2fc8521ec7065
-
SHA256
a2e9485cb6b0018d079a1956dc8a073393c75ee0eca1ebed1fcdaff21b076d2e
-
SHA512
b0032aba438a0e8704ba6bb7f14e329464a4b09b3d4e6d8dc3ce96a8e70a21312faa407dddf092753234928e3de263a242ec45108f5a48a7d4f04695a9fcde2c
-
SSDEEP
1536:QrgMsFzvH+u9GeCdg/vzb2xsK/WS6zAEzO5sK:QrD8vHFSWzb26FAEzO5sK
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1