General
-
Target
Mode.exe
-
Size
45KB
-
Sample
240524-xrp4dsga44
-
MD5
692bb1be0c680ec225c34bd446ead322
-
SHA1
813345d33a051c297f342ae668e7a32b3e40837b
-
SHA256
3242b26e5d8ebbe6993b03288ae30e5dfc7f0d93f06d8b4a225c184f24bd3034
-
SHA512
2818761e76ad5f7aaf933a857d96d7080ea91653624d923b965c07e224b629b453f5f93c64880a4c9b1f2d55cfff97254c843160c97c169e7437912b80cd04ec
-
SSDEEP
768:CurlDweV3OOVbADM9W1v9NfgkBpuAuREcNclYlVvD4xeVhKfkeLbFEPa9pvp16i4:CADweQKADMkV9GkSAcRaelZrO1/FJ9Nw
Behavioral task
behavioral1
Sample
Mode.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Mode.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
5.tcp.eu.ngrok.io:17399
RxBZSfahWZHZu4kD
-
Install_directory
%AppData%
-
install_file
svhost.exe
Targets
-
-
Target
Mode.exe
-
Size
45KB
-
MD5
692bb1be0c680ec225c34bd446ead322
-
SHA1
813345d33a051c297f342ae668e7a32b3e40837b
-
SHA256
3242b26e5d8ebbe6993b03288ae30e5dfc7f0d93f06d8b4a225c184f24bd3034
-
SHA512
2818761e76ad5f7aaf933a857d96d7080ea91653624d923b965c07e224b629b453f5f93c64880a4c9b1f2d55cfff97254c843160c97c169e7437912b80cd04ec
-
SSDEEP
768:CurlDweV3OOVbADM9W1v9NfgkBpuAuREcNclYlVvD4xeVhKfkeLbFEPa9pvp16i4:CADweQKADMkV9GkSAcRaelZrO1/FJ9Nw
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1