General
-
Target
Xworm+V7.0.exe
-
Size
15.5MB
-
Sample
240818-a2173syfmk
-
MD5
d8e168a28df4c3b07f3aa33251eb9973
-
SHA1
a201db9b5593a1290e4feaa72ee7f0e246cbd5eb
-
SHA256
e325de946ae78c2063a281903a819a84915411b2b0a1beb5fbb8dd6dbb60acc0
-
SHA512
0c8a08d0afcf94c3361287dfb59a0b089d5908136ed657ceb9d3c94fc6d7149879ae0dad987e9e302630ffe3651769b27a31676fa1b44ca298ede07fbc8a28f9
-
SSDEEP
393216:/z/DJJoIRv/PiktGiZis6mjSkPQ+GvRRJf:/Ho2iqRsskkPQ/5RJf
Static task
static1
Malware Config
Extracted
xworm
5.0
OnCH8EVI1tYADuXo
-
Install_directory
%LocalAppData%
-
install_file
msedge.exe
-
pastebin_url
https://pastebin.com/raw/RPPi3ByL
-
telegram
https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187
Targets
-
-
Target
Xworm+V7.0.exe
-
Size
15.5MB
-
MD5
d8e168a28df4c3b07f3aa33251eb9973
-
SHA1
a201db9b5593a1290e4feaa72ee7f0e246cbd5eb
-
SHA256
e325de946ae78c2063a281903a819a84915411b2b0a1beb5fbb8dd6dbb60acc0
-
SHA512
0c8a08d0afcf94c3361287dfb59a0b089d5908136ed657ceb9d3c94fc6d7149879ae0dad987e9e302630ffe3651769b27a31676fa1b44ca298ede07fbc8a28f9
-
SSDEEP
393216:/z/DJJoIRv/PiktGiZis6mjSkPQ+GvRRJf:/Ho2iqRsskkPQ/5RJf
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Download via BitsAdmin
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1