General
-
Target
XWormLoader5.2.exe
-
Size
328KB
-
Sample
240630-lem8gswang
-
MD5
7b421f9a8cbcf57135dfaaa03e138f83
-
SHA1
f7f9eaa8ac991cfba88cea00fa273e2b173ed785
-
SHA256
8996df7c25c4a8cd10c80971660852235429fa116ae188c188db8a750c579653
-
SHA512
6903cae013bd87bb6416ecc2db6e1c7462354a4387da50e48665fa20f68bb918d786d9a22690cfdaf6fb987a3539dfafb7daeb5da130b3cf4fa304dad10d3143
-
SSDEEP
6144:zE+IZP9d8mZrz+QftDS8lHAAJq0Q7u8mZrz+Q/zqm:1IZPH80n+QFDS8lgUbQq80n+Q/
Static task
static1
Behavioral task
behavioral1
Sample
XWormLoader5.2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
XWormLoader5.2.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
promptylol-44968.portmap.io:44968
-
Install_directory
%LocalAppData%
-
install_file
dllhost.exe
Targets
-
-
Target
XWormLoader5.2.exe
-
Size
328KB
-
MD5
7b421f9a8cbcf57135dfaaa03e138f83
-
SHA1
f7f9eaa8ac991cfba88cea00fa273e2b173ed785
-
SHA256
8996df7c25c4a8cd10c80971660852235429fa116ae188c188db8a750c579653
-
SHA512
6903cae013bd87bb6416ecc2db6e1c7462354a4387da50e48665fa20f68bb918d786d9a22690cfdaf6fb987a3539dfafb7daeb5da130b3cf4fa304dad10d3143
-
SSDEEP
6144:zE+IZP9d8mZrz+QftDS8lHAAJq0Q7u8mZrz+Q/zqm:1IZPH80n+QFDS8lgUbQq80n+Q/
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1