General
-
Target
Celex.exe
-
Size
6.8MB
-
Sample
240622-j1421s1hka
-
MD5
d550b8fbf57f2876c8308c7fd52025e6
-
SHA1
1933ff94dd7de1cbe01e71154053b7e46b1f61fb
-
SHA256
0693684117df72f1c9ac9d4f84548c76de7bfc73f8abf41fc28f65767fe5ffad
-
SHA512
63affe3499e5e371adff4b48898d36b09128c60d8f56e7593175fd4a4347f23b053601337633606e863a1497038775338bc3f3c6033eafbedb69f84dc372b510
-
SSDEEP
196608:r3e3zeuPjIZyjUUM4QF8I6uDYoY5O8isZi2htfF:r3eL2yjP9QWygO8isZi2jfF
Static task
static1
Behavioral task
behavioral1
Sample
Celex.exe
Resource
win7-20231129-it
Malware Config
Extracted
xworm
185.216.70.22:7000
-
Install_directory
%AppData%
-
install_file
GoogleUpdateCore.exe
Targets
-
-
Target
Celex.exe
-
Size
6.8MB
-
MD5
d550b8fbf57f2876c8308c7fd52025e6
-
SHA1
1933ff94dd7de1cbe01e71154053b7e46b1f61fb
-
SHA256
0693684117df72f1c9ac9d4f84548c76de7bfc73f8abf41fc28f65767fe5ffad
-
SHA512
63affe3499e5e371adff4b48898d36b09128c60d8f56e7593175fd4a4347f23b053601337633606e863a1497038775338bc3f3c6033eafbedb69f84dc372b510
-
SSDEEP
196608:r3e3zeuPjIZyjUUM4QF8I6uDYoY5O8isZi2htfF:r3eL2yjP9QWygO8isZi2jfF
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1