General
-
Target
01072024_1044_Payment_Information.zip
-
Size
594KB
-
Sample
240701-ms1leaxane
-
MD5
50c4962e4715ff425067203256b8b608
-
SHA1
f86e40e6b004b9b450964696e78fb2e76ff0f6a6
-
SHA256
0d23152df158541a195e57e5e6f1027728349e8e813f002d46a0c6950a90c688
-
SHA512
b4941a7e47799cf8d6826965ee696e52520b99bebd8a0eddee1cfec237a852a31716d982cec915fe4cf6b0dbc5d0de5a1398d2933fa8e52df64ec2d004688581
-
SSDEEP
12288:PnE1xrHxZjWL+g9fAFi7fHLSboIgPQbOmrBQAe8lDNa1TaZY:PE11R0LvfAFiYNgkOJC41T3
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Information.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Payment_Information.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
newsferinfo.com:7000
continentalgames.top:7000
8VF9MKRpl0LkiNW2
-
Install_directory
%Public%
-
install_file
microsoft_version_0124.exe
Targets
-
-
Target
Payment_Information.exe
-
Size
1.2MB
-
MD5
bfe4e6c774018b6e85d33fd381427d2f
-
SHA1
e75e6b64ea2c112a3a1b6a5ca1c0663cb185f704
-
SHA256
473c0737f6125ad0dff41521ab1e6331cd457c3253556b2bce4482ebf86e829b
-
SHA512
041f0fd37b0fff784b22261e23853fd3474881820f01aa3cc1dbdf4c4c0c25dfda70b15a4ac007aef70b3d28c92cfde60d3ec91e32f48c670f94e90b10d904a3
-
SSDEEP
24576:q4fvrZFtYuN29VEFV5qSh0lhSMXl0NJkdV4KKhnPmgUf5:nvhQVKV5qPkJIV4ZhPmT
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-