General
-
Target
XWormV3.1.exe
-
Size
7.0MB
-
Sample
241204-a8xhgasrhz
-
MD5
3d7099d20fa4b010872bdeafc7ef2ad2
-
SHA1
112a5be4630cf8cb237d6c121097119e0484f4e2
-
SHA256
4748cc63e9e800f3c085fd3760a5a780d4c44a617b727989d71cc0cd79ddee6c
-
SHA512
bfc463256c1ec30de6671a121365431d61ecfee04af108faf2bcef5319805611453d46afbdce8cb3c622686cabd1786b5d982982ca9ab2af600c2b74252a65ce
-
SSDEEP
196608:7nWqruP0pU8UkYzHK1Yql3acqzXjjwWdYxQZWK+oP3YX6p:7n3U9Fz4Yg3acqzXjEIYxQZWQvYX6p
Static task
static1
Behavioral task
behavioral1
Sample
XWormV3.1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XWormV3.1.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
3.1
next-screening.at.ply.gg:48590
-
Install_directory
%AppData%
-
install_file
chrome.exe
Targets
-
-
Target
XWormV3.1.exe
-
Size
7.0MB
-
MD5
3d7099d20fa4b010872bdeafc7ef2ad2
-
SHA1
112a5be4630cf8cb237d6c121097119e0484f4e2
-
SHA256
4748cc63e9e800f3c085fd3760a5a780d4c44a617b727989d71cc0cd79ddee6c
-
SHA512
bfc463256c1ec30de6671a121365431d61ecfee04af108faf2bcef5319805611453d46afbdce8cb3c622686cabd1786b5d982982ca9ab2af600c2b74252a65ce
-
SSDEEP
196608:7nWqruP0pU8UkYzHK1Yql3acqzXjjwWdYxQZWK+oP3YX6p:7n3U9Fz4Yg3acqzXjEIYxQZWQvYX6p
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1