General
-
Target
Wiz_Executor.exe
-
Size
214KB
-
Sample
240526-x3kytaha3x
-
MD5
3796bc1f3419e1303eaf1849636fcada
-
SHA1
6d2125ce2b8adf4339fc3303143e99baf1061e84
-
SHA256
7ebd9a91b5cb8f85b9f06edb2b10bcc7a3e40c893c931c464d529bfe2944675b
-
SHA512
64d906b61c027f910facf99a824f8977863e4d8a7642847c25f2bbf0dcc145cb7ccf8e293d618b9c784d2cf1f1e508952ab886077b146a0447329ec185204cf1
-
SSDEEP
3072:TahKyd2n31q5GWp1icKAArDZz4N9GhbkrNEk16U63TSlmC46ST9KBKFIT:TahOyp0yN90QE1U63TSq6o++0
Static task
static1
Behavioral task
behavioral1
Sample
Wiz_Executor.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
wiz.bounceme.net:6000
-
install_file
USB.exe
Targets
-
-
Target
Wiz_Executor.exe
-
Size
214KB
-
MD5
3796bc1f3419e1303eaf1849636fcada
-
SHA1
6d2125ce2b8adf4339fc3303143e99baf1061e84
-
SHA256
7ebd9a91b5cb8f85b9f06edb2b10bcc7a3e40c893c931c464d529bfe2944675b
-
SHA512
64d906b61c027f910facf99a824f8977863e4d8a7642847c25f2bbf0dcc145cb7ccf8e293d618b9c784d2cf1f1e508952ab886077b146a0447329ec185204cf1
-
SSDEEP
3072:TahKyd2n31q5GWp1icKAArDZz4N9GhbkrNEk16U63TSlmC46ST9KBKFIT:TahOyp0yN90QE1U63TSq6o++0
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-