General
-
Target
xWorm+v5.6.exe
-
Size
12.0MB
-
Sample
240831-xlc7mszcpb
-
MD5
a97ea9e6786a02d1651e023b8e2b6aa1
-
SHA1
5614e602de8ef7c1095450f5053ed14c8e17f31e
-
SHA256
8e3ca6388350b76e63e673c31dc7fea8772156f640c0d76c8ddd8e552c9f8e90
-
SHA512
894c898d1c1b64353bf4f38cbdb477596d780b137a06c2012932c05dddbba4f4f850b76ba0da930b8b626ae6a3b14013ff319a71cb030332dbb9fbd6859b20b8
-
SSDEEP
6144:5MaUDc37elZKI7ig55JIuzRt4qDKYrYHsW73:FT3wF5JIKRt4qmBsW7
Static task
static1
Behavioral task
behavioral1
Sample
xWorm+v5.6.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
umbral
https://canary.discord.com/api/webhooks/1279146469588340746/OZT0SJ0y5zhhi2z7H8eJ576F3-SmO2zrejY7aiS_DYX6c0ea5nuejVV4CjY8Hs9MDl_G
Extracted
xworm
5.0
japanese-longer.gl.at.ply.gg:28461
MDePCKGcpJNC9Aji
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
xWorm+v5.6.exe
-
Size
12.0MB
-
MD5
a97ea9e6786a02d1651e023b8e2b6aa1
-
SHA1
5614e602de8ef7c1095450f5053ed14c8e17f31e
-
SHA256
8e3ca6388350b76e63e673c31dc7fea8772156f640c0d76c8ddd8e552c9f8e90
-
SHA512
894c898d1c1b64353bf4f38cbdb477596d780b137a06c2012932c05dddbba4f4f850b76ba0da930b8b626ae6a3b14013ff319a71cb030332dbb9fbd6859b20b8
-
SSDEEP
6144:5MaUDc37elZKI7ig55JIuzRt4qDKYrYHsW73:FT3wF5JIKRt4qmBsW7
-
Detect Umbral payload
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1