General
-
Target
Xworm V5.6.exe
-
Size
163KB
-
Sample
241230-m1r91axnhz
-
MD5
2c1e5afc3ab9493981afdfbc471e6bd0
-
SHA1
00ba2cdd1b79cd74677f7723629a2b02729cb699
-
SHA256
08d82dd27b1ca3bb6815d688e9b4226f07b19498cc39624c23f6f42874815ac6
-
SHA512
6212214149f6181fe002f9491db8b0e2961ff9c9e0b7481365121f17767771a539213c29f13448f535f6459aa8d34c0e3b29c27c4833461466e6e69fef53919a
-
SSDEEP
3072:fRig2YPdJcbuuNi2Og1lQcmtVMzLv4Pstm:Eg2wcbCanmtVM
Behavioral task
behavioral1
Sample
Xworm V5.6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Xworm V5.6.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral3
Sample
Xworm V5.6.exe
Resource
win11-20241007-en
Malware Config
Extracted
xworm
thus-triumph.gl.at.ply.gg:53332
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
Xworm V5.6.exe
-
Size
163KB
-
MD5
2c1e5afc3ab9493981afdfbc471e6bd0
-
SHA1
00ba2cdd1b79cd74677f7723629a2b02729cb699
-
SHA256
08d82dd27b1ca3bb6815d688e9b4226f07b19498cc39624c23f6f42874815ac6
-
SHA512
6212214149f6181fe002f9491db8b0e2961ff9c9e0b7481365121f17767771a539213c29f13448f535f6459aa8d34c0e3b29c27c4833461466e6e69fef53919a
-
SSDEEP
3072:fRig2YPdJcbuuNi2Og1lQcmtVMzLv4Pstm:Eg2wcbCanmtVM
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1