General
-
Target
https://cdn.discordapp.com/attachments/1253255524330246195/1253629125000957993/bytecode.rar?ex=66768c9a&is=66753b1a&hm=2555e33976aab06a13465b3448bc1b727b64e0457dd117cf46564edd5677ea60&
-
Sample
240621-kkww5sxcjm
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1253255524330246195/1253629125000957993/bytecode.rar?ex=66768c9a&is=66753b1a&hm=2555e33976aab06a13465b3448bc1b727b64e0457dd117cf46564edd5677ea60&
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
127.0.0.1:7110
192.168.1.17:7110
-
Install_directory
%AppData%
-
install_file
Window corporation.exe
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1253255524330246195/1253629125000957993/bytecode.rar?ex=66768c9a&is=66753b1a&hm=2555e33976aab06a13465b3448bc1b727b64e0457dd117cf46564edd5677ea60&
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1