General
-
Target
sysguard.exe
-
Size
168KB
-
Sample
240503-vze72sef83
-
MD5
a904db251e60525303896de5ad932ef3
-
SHA1
f3554ba7d6996d442c01480120def4a864e455a5
-
SHA256
2e618745869d07b1023b97fbcf04e63fb1bdf8903ce1460c93d11320d2b75158
-
SHA512
bd95e6a8f6152b8cace0b9356a5d25791b464f9b233271baa4202c3a2658f9fdabc07d4c014099df88f45e07dc3834336afcccfa68ae2a5f1a0834c9d5e0a578
-
SSDEEP
3072:Pbd+ra3PmZ/b5Tz6LOlIjBz65/M6If+3Js+3JFkKeTnO:PAamZ/boZjxBt25
Behavioral task
behavioral1
Sample
sysguard.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sysguard.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
xworm
teeeheee.zapto.org:25562
-
Install_directory
%AppData%
-
install_file
shh.exe
Targets
-
-
Target
sysguard.exe
-
Size
168KB
-
MD5
a904db251e60525303896de5ad932ef3
-
SHA1
f3554ba7d6996d442c01480120def4a864e455a5
-
SHA256
2e618745869d07b1023b97fbcf04e63fb1bdf8903ce1460c93d11320d2b75158
-
SHA512
bd95e6a8f6152b8cace0b9356a5d25791b464f9b233271baa4202c3a2658f9fdabc07d4c014099df88f45e07dc3834336afcccfa68ae2a5f1a0834c9d5e0a578
-
SSDEEP
3072:Pbd+ra3PmZ/b5Tz6LOlIjBz65/M6If+3Js+3JFkKeTnO:PAamZ/boZjxBt25
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-