General
-
Target
DAVIDxPANEL.exe
-
Size
351KB
-
Sample
250121-n7rgqasrek
-
MD5
bdf4babc0504339255ab25c4550e373a
-
SHA1
08f6c30ea97cff716acce362c8c3b2629ec7d08c
-
SHA256
b86413527bbc9f5ba6240402aba7cd6d0413bc9ee7db1f02ec18426f18c60044
-
SHA512
97c058c8873b2146c91a3f3a21b653e70b001277203222f5ead6f142134b66e2be4a79ee87c9adf57b2fad56e2c354ece62115d36dd0e7f3e17cf459751c4178
-
SSDEEP
6144:jNHtr2hylad/y/MOsuplJ/y//////E////z4///////K//////onnnnnnnnnnq+1:jZtXlad/6mulJ/y//////E////z4///Z
Static task
static1
Behavioral task
behavioral1
Sample
DAVIDxPANEL.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
rates-sir.gl.at.ply.gg:9099
-
Install_directory
%AppData%
-
install_file
Steam.exe
Targets
-
-
Target
DAVIDxPANEL.exe
-
Size
351KB
-
MD5
bdf4babc0504339255ab25c4550e373a
-
SHA1
08f6c30ea97cff716acce362c8c3b2629ec7d08c
-
SHA256
b86413527bbc9f5ba6240402aba7cd6d0413bc9ee7db1f02ec18426f18c60044
-
SHA512
97c058c8873b2146c91a3f3a21b653e70b001277203222f5ead6f142134b66e2be4a79ee87c9adf57b2fad56e2c354ece62115d36dd0e7f3e17cf459751c4178
-
SSDEEP
6144:jNHtr2hylad/y/MOsuplJ/y//////E////z4///////K//////onnnnnnnnnnq+1:jZtXlad/6mulJ/y//////E////z4///Z
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1