General
-
Target
Payment_Information.bin
-
Size
1.2MB
-
Sample
240701-k3fymswenp
-
MD5
bfe4e6c774018b6e85d33fd381427d2f
-
SHA1
e75e6b64ea2c112a3a1b6a5ca1c0663cb185f704
-
SHA256
473c0737f6125ad0dff41521ab1e6331cd457c3253556b2bce4482ebf86e829b
-
SHA512
041f0fd37b0fff784b22261e23853fd3474881820f01aa3cc1dbdf4c4c0c25dfda70b15a4ac007aef70b3d28c92cfde60d3ec91e32f48c670f94e90b10d904a3
-
SSDEEP
24576:q4fvrZFtYuN29VEFV5qSh0lhSMXl0NJkdV4KKhnPmgUf5:nvhQVKV5qPkJIV4ZhPmT
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Information.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Payment_Information.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
newsferinfo.com:7000
continentalgames.top:7000
8VF9MKRpl0LkiNW2
-
Install_directory
%Public%
-
install_file
microsoft_version_0124.exe
Targets
-
-
Target
Payment_Information.bin
-
Size
1.2MB
-
MD5
bfe4e6c774018b6e85d33fd381427d2f
-
SHA1
e75e6b64ea2c112a3a1b6a5ca1c0663cb185f704
-
SHA256
473c0737f6125ad0dff41521ab1e6331cd457c3253556b2bce4482ebf86e829b
-
SHA512
041f0fd37b0fff784b22261e23853fd3474881820f01aa3cc1dbdf4c4c0c25dfda70b15a4ac007aef70b3d28c92cfde60d3ec91e32f48c670f94e90b10d904a3
-
SSDEEP
24576:q4fvrZFtYuN29VEFV5qSh0lhSMXl0NJkdV4KKhnPmgUf5:nvhQVKV5qPkJIV4ZhPmT
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-