General
-
Target
Packages.exe
-
Size
75KB
-
Sample
240630-hdeyyavare
-
MD5
e1b71f4ba193223fc5569d6c2c8987d8
-
SHA1
ab0634c9bc987c434b55896cd9b1523af1280571
-
SHA256
15af6ab42b15ed39a5257f1e750c728accb88dc332162937f1fd22ba314b7afa
-
SHA512
d98ae8f4d37bdae664a4d703c5d5bc0a57f1cdc992fca0aad080863cd68b19b63e50c327de541bd9ca2a12582ecb23ff61344a3bca173574c563fa45a4d951a8
-
SSDEEP
1536:b61UmSLuLfh3THEpbHhE+3lDZ6BwqTD+EViiODLkhpI:eumVfVTMbHhfA9ViiODLk/I
Behavioral task
behavioral1
Sample
Packages.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
193.161.193.99:22901
Ironthing-22901.portmap.host:22901
-
Install_directory
%AppData%
-
install_file
Packages.exe
Targets
-
-
Target
Packages.exe
-
Size
75KB
-
MD5
e1b71f4ba193223fc5569d6c2c8987d8
-
SHA1
ab0634c9bc987c434b55896cd9b1523af1280571
-
SHA256
15af6ab42b15ed39a5257f1e750c728accb88dc332162937f1fd22ba314b7afa
-
SHA512
d98ae8f4d37bdae664a4d703c5d5bc0a57f1cdc992fca0aad080863cd68b19b63e50c327de541bd9ca2a12582ecb23ff61344a3bca173574c563fa45a4d951a8
-
SSDEEP
1536:b61UmSLuLfh3THEpbHhE+3lDZ6BwqTD+EViiODLkhpI:eumVfVTMbHhfA9ViiODLk/I
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1