General
-
Target
setup.exe
-
Size
73KB
-
Sample
240622-ngnm5swckd
-
MD5
9003126cef8cf36eca17f1e51eaf8394
-
SHA1
6f7941dc4c5bb1818a519482537ea231e4ba8ab8
-
SHA256
ac30d7a03c46c90f1f8270ac6dc2a7001373b2b16567d7753f174fd33c047ed2
-
SHA512
eacfc7a4030cbaab1926d660b5ea2fa69d9ba2e18bb690822bab474b9fb296d49150af25a8565dd51ad3a4d4da648e365610969829835d480fce4e16b0285dac
-
SSDEEP
1536:mPN8fc4tabwG764lxyTfogb8cCijEnxH8w6nNOON3c7G:UN8f9abwGLHyZb876qWVNOON6G
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
xworm
sebeee-39917.portmap.io:39917
-
Install_directory
%AppData%
-
install_file
RuntimeBroker.exe
Targets
-
-
Target
setup.exe
-
Size
73KB
-
MD5
9003126cef8cf36eca17f1e51eaf8394
-
SHA1
6f7941dc4c5bb1818a519482537ea231e4ba8ab8
-
SHA256
ac30d7a03c46c90f1f8270ac6dc2a7001373b2b16567d7753f174fd33c047ed2
-
SHA512
eacfc7a4030cbaab1926d660b5ea2fa69d9ba2e18bb690822bab474b9fb296d49150af25a8565dd51ad3a4d4da648e365610969829835d480fce4e16b0285dac
-
SSDEEP
1536:mPN8fc4tabwG764lxyTfogb8cCijEnxH8w6nNOON3c7G:UN8f9abwGLHyZb876qWVNOON6G
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1