General
-
Target
TxDoomer_Loader_protected_original.exe
-
Size
1.2MB
-
Sample
240622-mzemhsveja
-
MD5
fd3e0fddb2a2571d7c6010de90e552f9
-
SHA1
55cd4a8e012740dfa430dddf3245ffad383b64a2
-
SHA256
ab696814ce3c10f86e8ad86a8c1cbb45f9ab0ceddc336ca15bce36b2f1a87a13
-
SHA512
654663056ba803474dc3cee0fa07da9fc6710debb49e343b06cc558f3f60879a1c54f4f2df44069247b9565f505a4413f11c1fa72de546f0cbfe33eb5405be3d
-
SSDEEP
24576:jqeWJnK5cnuFa2s1kX/kbtIqgFHU0HEPJbO8dBUGKsmuzQ28HW:jjWMFXs1kX/tqUEPJbOEVd
Static task
static1
Behavioral task
behavioral1
Sample
TxDoomer_Loader_protected_original.exe
Resource
win11-20240611-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/Jt9Xgc6v
Targets
-
-
Target
TxDoomer_Loader_protected_original.exe
-
Size
1.2MB
-
MD5
fd3e0fddb2a2571d7c6010de90e552f9
-
SHA1
55cd4a8e012740dfa430dddf3245ffad383b64a2
-
SHA256
ab696814ce3c10f86e8ad86a8c1cbb45f9ab0ceddc336ca15bce36b2f1a87a13
-
SHA512
654663056ba803474dc3cee0fa07da9fc6710debb49e343b06cc558f3f60879a1c54f4f2df44069247b9565f505a4413f11c1fa72de546f0cbfe33eb5405be3d
-
SSDEEP
24576:jqeWJnK5cnuFa2s1kX/kbtIqgFHU0HEPJbO8dBUGKsmuzQ28HW:jjWMFXs1kX/tqUEPJbOEVd
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1