General
-
Target
nvidiaProfileInspector.exe
-
Size
1.8MB
-
Sample
240531-xykggsah85
-
MD5
e0b1472b85920288a66e65b48b8884b0
-
SHA1
7a44c82977af3d1a5b4ede4075f85f2f072d6fe8
-
SHA256
73f01444d5cbdbcbc706e18997fa4fc6274a55b5d3b3649afbecfce29e34c1c9
-
SHA512
e574685bd3dcb0ae12eeb77a10595cb5e45edf560e7072b67402d056a985d367f8941fd96a7f603279e04621e069d1a7551ee901016fd2f17f715abe060c7e0f
-
SSDEEP
49152:t4mYl9buIheTzaOQnKPfqoxOwatAlHyMZDOFUvy:KDl9buIheTzaOQnKPfqoxOwatiH3ZDn
Static task
static1
Behavioral task
behavioral1
Sample
nvidiaProfileInspector.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:7777
45.145.41.147:7777
5N4ZirqATbPp1e8c
-
Install_directory
%ProgramData%
-
install_file
WinBackup.exe
Targets
-
-
Target
nvidiaProfileInspector.exe
-
Size
1.8MB
-
MD5
e0b1472b85920288a66e65b48b8884b0
-
SHA1
7a44c82977af3d1a5b4ede4075f85f2f072d6fe8
-
SHA256
73f01444d5cbdbcbc706e18997fa4fc6274a55b5d3b3649afbecfce29e34c1c9
-
SHA512
e574685bd3dcb0ae12eeb77a10595cb5e45edf560e7072b67402d056a985d367f8941fd96a7f603279e04621e069d1a7551ee901016fd2f17f715abe060c7e0f
-
SSDEEP
49152:t4mYl9buIheTzaOQnKPfqoxOwatAlHyMZDOFUvy:KDl9buIheTzaOQnKPfqoxOwatiH3ZDn
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-