General
-
Target
XClient.exe
-
Size
41KB
-
Sample
240523-kmq4nsbb4t
-
MD5
cb09c9133f40c4903525fa5a7df4c405
-
SHA1
e8496990338d09a6b73d4808e3aada0f50cf758a
-
SHA256
ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22
-
SHA512
be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f
-
SSDEEP
768:KU0MzzOOfBbw197oyoyv08cr/rZ+IF5Pa9n2e6iOwhM3sik:KU0M/bZbwXsyrs3rd9F492e6iOwSNk
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240426-en
Malware Config
Extracted
xworm
5.0
https://pastebin.com/raw/qaWffTar:5
C6npgtaAk9A5snxm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/qaWffTar
Targets
-
-
Target
XClient.exe
-
Size
41KB
-
MD5
cb09c9133f40c4903525fa5a7df4c405
-
SHA1
e8496990338d09a6b73d4808e3aada0f50cf758a
-
SHA256
ad335bba6ec965c12c17a0fb8ae86aa26beebca57e63fba662757a79f1d6df22
-
SHA512
be757f81deb1b8f43d51332d383ff829524ea94a54a732576b30bdba43a31eee2dfc9cd8ed5dce2cd06e191c307db2ddee687895a0de5ad6bc9709d167631b1f
-
SSDEEP
768:KU0MzzOOfBbw197oyoyv08cr/rZ+IF5Pa9n2e6iOwhM3sik:KU0M/bZbwXsyrs3rd9F492e6iOwSNk
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Installed Components in the registry
-
Drops startup file
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1