General
-
Target
spoofertest.exe
-
Size
200KB
-
Sample
241230-r76heszphx
-
MD5
24b58306d1368c2b0143f75e8678dca1
-
SHA1
6a454149d3c6b2cd26f61c9a6045a9e5c0145318
-
SHA256
5c85c8dce4fb146cb5d80c37bd895f57f898d5e06c1720070e8b2658413a10a9
-
SHA512
55ab4eca471411a38fc666155ee120f0e7d9239bd2c1446ca060e0543ef02df105bafe276248445f1243633d72ea16f3981ad847844b9f55d318045f9ce78d7e
-
SSDEEP
3072:Nk2FC2QG4C/67LcwObG5+bTuFNOsniku4NpVq8BxFRzaqF+o2GQJ7/JzqVfGv9:q2FRwbwbKugVqwlL
Behavioral task
behavioral1
Sample
spoofertest.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
spoofertest.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
127.0.0.1:7000
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
spoofertest.exe
-
Size
200KB
-
MD5
24b58306d1368c2b0143f75e8678dca1
-
SHA1
6a454149d3c6b2cd26f61c9a6045a9e5c0145318
-
SHA256
5c85c8dce4fb146cb5d80c37bd895f57f898d5e06c1720070e8b2658413a10a9
-
SHA512
55ab4eca471411a38fc666155ee120f0e7d9239bd2c1446ca060e0543ef02df105bafe276248445f1243633d72ea16f3981ad847844b9f55d318045f9ce78d7e
-
SSDEEP
3072:Nk2FC2QG4C/67LcwObG5+bTuFNOsniku4NpVq8BxFRzaqF+o2GQJ7/JzqVfGv9:q2FRwbwbKugVqwlL
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1