General
-
Target
exno-multitool.bat
-
Size
312KB
-
Sample
240808-1mjmlatgqc
-
MD5
35f2566540e2b6d4d6936a1f69c9b61c
-
SHA1
c54fdbe3b77c3cb24daf7e0157236c088f06b9e0
-
SHA256
6da093e67df15817141cb314b208da8c750e14bcda70293aac9aea354f708a92
-
SHA512
4096802c29db97ad4cec416413c35a2060c3da13c9512c1290beff6ab518b6fd18867a57771f4e7a3c96b077bf96408ddf2732cc602fa8d6166a374d2f7cbae9
-
SSDEEP
6144:YuQfKrYP5G4V8rw0vUPaPJKHNVdhsjIq7pZMB+hhQi/rcf06yfnkX:Yu1rkG4V8rw6U2JKtVPsjIwMBqjDcVyY
Static task
static1
Behavioral task
behavioral1
Sample
exno-multitool.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
exno-multitool.bat
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
exno-multitool.bat
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
exno-multitool.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
exno-multitool.bat
Resource
win11-20240802-en
Malware Config
Extracted
https://ipapi.co/json/
Extracted
xworm
browse-brokers.gl.at.ply.gg:53049
-
Install_directory
%AppData%
-
install_file
server.exe
Targets
-
-
Target
exno-multitool.bat
-
Size
312KB
-
MD5
35f2566540e2b6d4d6936a1f69c9b61c
-
SHA1
c54fdbe3b77c3cb24daf7e0157236c088f06b9e0
-
SHA256
6da093e67df15817141cb314b208da8c750e14bcda70293aac9aea354f708a92
-
SHA512
4096802c29db97ad4cec416413c35a2060c3da13c9512c1290beff6ab518b6fd18867a57771f4e7a3c96b077bf96408ddf2732cc602fa8d6166a374d2f7cbae9
-
SSDEEP
6144:YuQfKrYP5G4V8rw0vUPaPJKHNVdhsjIq7pZMB+hhQi/rcf06yfnkX:Yu1rkG4V8rw6U2JKtVPsjIwMBqjDcVyY
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1