General
-
Target
XWormV5.2.exe
-
Size
9.1MB
-
Sample
240905-hlbw9avdkk
-
MD5
1c264a483f2f667410157dac2f067d66
-
SHA1
4831f141b41802d06d6735b237c53f4d34e9d428
-
SHA256
1c906ee702dadbc5ce1668754a488cbbc9838c63aaa6fb77fe5e848491b6f474
-
SHA512
1b48506e8cd01b66e930b8bb70998a3e4f02a300ef1a97252e105013b7e455c021d014a4cf3b1ba77deadc94e1908c8314c2875900145760cc5c402f37d637a2
-
SSDEEP
196608:6OdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:6K2B1CkcDUDLHK18as0mcvow+Ax
Static task
static1
Behavioral task
behavioral1
Sample
XWormV5.2.exe
Resource
win7-20240708-en
Malware Config
Extracted
xworm
uk1.localto.net:3725
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Targets
-
-
Target
XWormV5.2.exe
-
Size
9.1MB
-
MD5
1c264a483f2f667410157dac2f067d66
-
SHA1
4831f141b41802d06d6735b237c53f4d34e9d428
-
SHA256
1c906ee702dadbc5ce1668754a488cbbc9838c63aaa6fb77fe5e848491b6f474
-
SHA512
1b48506e8cd01b66e930b8bb70998a3e4f02a300ef1a97252e105013b7e455c021d014a4cf3b1ba77deadc94e1908c8314c2875900145760cc5c402f37d637a2
-
SSDEEP
196608:6OdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:6K2B1CkcDUDLHK18as0mcvow+Ax
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1