General
-
Target
s.exe
-
Size
1.1MB
-
Sample
240531-2qd2ysgc7x
-
MD5
09633ffe1d3b4c7a747e4408f8efbce5
-
SHA1
1204d7963755d1d126b4b37110b3ce9aa363be26
-
SHA256
a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb
-
SHA512
63bfca8dca0e438b8eef2ba4ad5aafcb2369793cb5c1c979b2b4090ad1153c540372ec274cc1a9fd4f4fc85e142e2e6eb7a7b4780106c9d7189a9ece89a6bb60
-
SSDEEP
24576:lnRvWL+3S3y1JWGBjuRnuIppDos2THHyrHJmvX34IRpJlcin00I9nO2dhCzOqyCW:lnRvWL+3S3qQ+tOobrSjW34IRDain00I
Static task
static1
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/Jt9Xgc6v
Targets
-
-
Target
s.exe
-
Size
1.1MB
-
MD5
09633ffe1d3b4c7a747e4408f8efbce5
-
SHA1
1204d7963755d1d126b4b37110b3ce9aa363be26
-
SHA256
a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb
-
SHA512
63bfca8dca0e438b8eef2ba4ad5aafcb2369793cb5c1c979b2b4090ad1153c540372ec274cc1a9fd4f4fc85e142e2e6eb7a7b4780106c9d7189a9ece89a6bb60
-
SSDEEP
24576:lnRvWL+3S3y1JWGBjuRnuIppDos2THHyrHJmvX34IRpJlcin00I9nO2dhCzOqyCW:lnRvWL+3S3qQ+tOobrSjW34IRDain00I
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-