General
-
Target
Downloader.hta
-
Size
914B
-
Sample
240817-1etsla1cln
-
MD5
7561c884abc8480eebe81244128b5e83
-
SHA1
509574cd1b5d336e349ec699fb0f9b6720971728
-
SHA256
6eb91b5cb7628b3cc4d6012456ca0aea4a5bb69cb6eb0fbe93a89e1d28f0c650
-
SHA512
0d162a6075e2e0ac22c3aa0d268de51c98fc6c7936e0b5891d0ccbdcc3c199056843c78eadbdab393735cec88a1568de8a9e0f3cb150a43a659cab567994a82d
Static task
static1
Behavioral task
behavioral1
Sample
Downloader.hta
Resource
win7-20240704-en
Malware Config
Extracted
xworm
lijaligibidu-35558.portmap.host:35558
-
Install_directory
%LocalAppData%
-
install_file
Windows Security.exe
Targets
-
-
Target
Downloader.hta
-
Size
914B
-
MD5
7561c884abc8480eebe81244128b5e83
-
SHA1
509574cd1b5d336e349ec699fb0f9b6720971728
-
SHA256
6eb91b5cb7628b3cc4d6012456ca0aea4a5bb69cb6eb0fbe93a89e1d28f0c650
-
SHA512
0d162a6075e2e0ac22c3aa0d268de51c98fc6c7936e0b5891d0ccbdcc3c199056843c78eadbdab393735cec88a1568de8a9e0f3cb150a43a659cab567994a82d
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Download via BitsAdmin
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-