General
-
Target
XClient.exe
-
Size
65KB
-
Sample
240630-m5z6eazdrp
-
MD5
cebacd49745c72009ec927afe89e7908
-
SHA1
0834c1e371126767e18a6d0a296faa6f96fa1a0a
-
SHA256
e790f0a47cf0157f4051cae45eb71f40ba712754ce9a065818cdb2602edd8327
-
SHA512
d4c52414bbf58f04dd6651014313362842220dbb5a4438c77effecae86302f5474de40bcb160590c4a9b0b37d9b0eecff5d8fc0a62f1cd55c2860f71e9877d3c
-
SSDEEP
1536:Iw/fPNDC3SyLmHSX74jAvbjbJoMxuii6ytEw0OZvgSHPK:IwXUdmyEjQPbJoMUPt50OZo8K
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
3.1
2.tcp.eu.ngrok.io:11215
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Targets
-
-
Target
XClient.exe
-
Size
65KB
-
MD5
cebacd49745c72009ec927afe89e7908
-
SHA1
0834c1e371126767e18a6d0a296faa6f96fa1a0a
-
SHA256
e790f0a47cf0157f4051cae45eb71f40ba712754ce9a065818cdb2602edd8327
-
SHA512
d4c52414bbf58f04dd6651014313362842220dbb5a4438c77effecae86302f5474de40bcb160590c4a9b0b37d9b0eecff5d8fc0a62f1cd55c2860f71e9877d3c
-
SSDEEP
1536:Iw/fPNDC3SyLmHSX74jAvbjbJoMxuii6ytEw0OZvgSHPK:IwXUdmyEjQPbJoMUPt50OZo8K
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1