General
-
Target
HyperCheck.exe
-
Size
7.6MB
-
Sample
241029-ymebrsyerb
-
MD5
aec82b6c2e71c32e3800caacadea13fd
-
SHA1
0ea2ddc7b4155eeec9d82148a1c6627e28d1b2ad
-
SHA256
edd6c81eb424b866580a48f3b2750892e589fb1c03d82e6d541483f606fcef96
-
SHA512
755c532e65b8fbd3f0d26350089896cd52385e988713b98b040896cb099c0963d257dc53bee4595922a5387d6f9c2176f2610ebac33ae61ecc8d9038ceaf1a93
-
SSDEEP
196608:pOFuoTJre+RwTl4dNb/Mwj43K4eeIq779EVStdVxG4eEbfXAvKte:Wuire+Rm+NnZ4f9nG4eVie
Static task
static1
Behavioral task
behavioral1
Sample
HyperCheck.exe
Resource
win10v2004-20241007-uk
Behavioral task
behavioral2
Sample
HyperCheck.exe
Resource
win11-20241007-uk
Malware Config
Extracted
xworm
5.0
visual-cities.gl.at.ply.gg:43645
EaL3QDVCrsRN0yYr
-
Install_directory
%LocalAppData%
-
install_file
System.exe
Targets
-
-
Target
HyperCheck.exe
-
Size
7.6MB
-
MD5
aec82b6c2e71c32e3800caacadea13fd
-
SHA1
0ea2ddc7b4155eeec9d82148a1c6627e28d1b2ad
-
SHA256
edd6c81eb424b866580a48f3b2750892e589fb1c03d82e6d541483f606fcef96
-
SHA512
755c532e65b8fbd3f0d26350089896cd52385e988713b98b040896cb099c0963d257dc53bee4595922a5387d6f9c2176f2610ebac33ae61ecc8d9038ceaf1a93
-
SSDEEP
196608:pOFuoTJre+RwTl4dNb/Mwj43K4eeIq779EVStdVxG4eEbfXAvKte:Wuire+Rm+NnZ4f9nG4eVie
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1