General
-
Target
UltraHook.exe
-
Size
893KB
-
Sample
240531-2vj4rshc84
-
MD5
efa221122fddad38326e19b1fcd3f3e2
-
SHA1
53d92cbb4d48b7892c4671756f0e19cb27258a84
-
SHA256
cf21cb5e211d67c2fd4f9da05036d6654f412756dbce68c171932eba347e6a14
-
SHA512
af0ddc2da5437f6ed8cb74a312bf62adc749ae9092449969d81023f00bc5f34c4b526175189d7c2cc6666e6bf32c3f2049b52e4c4ea938ebe2a6916495f44b21
-
SSDEEP
24576:0VDTk3iXN0xaQ9ur9hYWVqCwMmIlBKvohMSHB0LA5:uomm79kY8336o6pM
Static task
static1
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/Jt9Xgc6v
Targets
-
-
Target
UltraHook.exe
-
Size
893KB
-
MD5
efa221122fddad38326e19b1fcd3f3e2
-
SHA1
53d92cbb4d48b7892c4671756f0e19cb27258a84
-
SHA256
cf21cb5e211d67c2fd4f9da05036d6654f412756dbce68c171932eba347e6a14
-
SHA512
af0ddc2da5437f6ed8cb74a312bf62adc749ae9092449969d81023f00bc5f34c4b526175189d7c2cc6666e6bf32c3f2049b52e4c4ea938ebe2a6916495f44b21
-
SSDEEP
24576:0VDTk3iXN0xaQ9ur9hYWVqCwMmIlBKvohMSHB0LA5:uomm79kY8336o6pM
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-