General
-
Target
windowspowershell.exe
-
Size
70KB
-
Sample
240701-gdywda1clk
-
MD5
a65730c3385f81d9dd1245fd6a7dd8bc
-
SHA1
bfea51aad8077ffbe0893687c6706449e0204f07
-
SHA256
f3e91c0e63a38f99af50221e9215315f401d591968c9e76d2d786908a6cccf1b
-
SHA512
6e0327af881fbc18dc8542835513e502e1575aa4b94ced9b752194eb3d84014b0e8d47e9a44d0dc2d8eac9552b4fab7744ec4a486879d4242bd57a04ab6256c6
-
SSDEEP
1536:4xr5e+IPIyYGFZabUnYmjLha8qB2nD6T9aZOLTST6:gFE7YWQbUmt2cKOLM6
Behavioral task
behavioral1
Sample
windowspowershell.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
windowspowershell.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
3.1
so-presently.gl.at.ply.gg :59751
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
windowspowershell.exe
-
Size
70KB
-
MD5
a65730c3385f81d9dd1245fd6a7dd8bc
-
SHA1
bfea51aad8077ffbe0893687c6706449e0204f07
-
SHA256
f3e91c0e63a38f99af50221e9215315f401d591968c9e76d2d786908a6cccf1b
-
SHA512
6e0327af881fbc18dc8542835513e502e1575aa4b94ced9b752194eb3d84014b0e8d47e9a44d0dc2d8eac9552b4fab7744ec4a486879d4242bd57a04ab6256c6
-
SSDEEP
1536:4xr5e+IPIyYGFZabUnYmjLha8qB2nD6T9aZOLTST6:gFE7YWQbUmt2cKOLM6
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1