General
-
Target
$77-X.bat
-
Size
310KB
-
Sample
240527-al6gvsac75
-
MD5
0df87c21c846f4ad6db596238e9ef503
-
SHA1
255c312dd6eeebf721f4885b0b23a6ca93a8695b
-
SHA256
4834211e93e75693c4160a7330bcda21b24edd87a84f10a8505a6dc9ba33ff8b
-
SHA512
00eb13d025ee21296c62214e62cc459878a5254153b3059758e819c8e1e89af06262224a3ca5008c920c97239513844739d3d2d53d49ab062badecb9d21e98f9
-
SSDEEP
6144:6697nb6/7s4OSfQjmkHlGuBv8bfA/69hEjMN7vz:6Irbqs4BfQS+gJjA/tI5vz
Static task
static1
Behavioral task
behavioral1
Sample
$77-X.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$77-X.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$77-X.bat
Resource
win11-20240419-en
Malware Config
Extracted
xworm
uk2.localto.net:4782
-
Install_directory
%Userprofile%
-
install_file
$77-Powershell.exe
Targets
-
-
Target
$77-X.bat
-
Size
310KB
-
MD5
0df87c21c846f4ad6db596238e9ef503
-
SHA1
255c312dd6eeebf721f4885b0b23a6ca93a8695b
-
SHA256
4834211e93e75693c4160a7330bcda21b24edd87a84f10a8505a6dc9ba33ff8b
-
SHA512
00eb13d025ee21296c62214e62cc459878a5254153b3059758e819c8e1e89af06262224a3ca5008c920c97239513844739d3d2d53d49ab062badecb9d21e98f9
-
SSDEEP
6144:6697nb6/7s4OSfQjmkHlGuBv8bfA/69hEjMN7vz:6Irbqs4BfQS+gJjA/tI5vz
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-