General
-
Target
d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
-
Size
892KB
-
Sample
240702-f97ygsybna
-
MD5
e501c275814bfcb58fe845c38227d5c5
-
SHA1
e2dd36fd738326611cc8d80462451beb842b2d93
-
SHA256
d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
-
SHA512
435829c2248659e855cef6aca52061fb33c568f73b3668fcb87bcc33cc86f5c442a3e9ef7f840c3f54d813bf8c8b8c80c4139ae134a71245e269f186b550786a
-
SSDEEP
12288:WpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9djS0TMS9:OJ39LyjbJkQFMhmC+6GD9d7n9
Behavioral task
behavioral1
Sample
d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
xworm
5.0
45.141.26.232:6666
mbuYWmhQxC0l7ybb
-
Install_directory
%ProgramData%
-
install_file
XClient.exe
Targets
-
-
Target
d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
-
Size
892KB
-
MD5
e501c275814bfcb58fe845c38227d5c5
-
SHA1
e2dd36fd738326611cc8d80462451beb842b2d93
-
SHA256
d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
-
SHA512
435829c2248659e855cef6aca52061fb33c568f73b3668fcb87bcc33cc86f5c442a3e9ef7f840c3f54d813bf8c8b8c80c4139ae134a71245e269f186b550786a
-
SSDEEP
12288:WpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9djS0TMS9:OJ39LyjbJkQFMhmC+6GD9d7n9
-
Detect Xworm Payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1