General
-
Target
c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
-
Size
434KB
-
Sample
240621-by9wgsvdnb
-
MD5
d9c9bb67226f0cf7ec29fb0dc84b4d90
-
SHA1
b9bfe67a4df466960f8bcf7602f9765bab2068b4
-
SHA256
c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db
-
SHA512
6348a457dab60f2dc4cbc1cca36cf89e9f9b9e08da20879b7910329c49cb214532522385b2634e973eb27845896dee3782a79aa475818724ddec5ac4c0635df5
-
SSDEEP
12288:ExREUttQ7xmH7INep10j6oCGHsMtf8GPuxvQirSgx:ETtta8bHLI6FGH9mGPYYirSgx
Static task
static1
Behavioral task
behavioral1
Sample
c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
3.1
omirbekov.duckdns.org:4048
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe
-
Size
434KB
-
MD5
d9c9bb67226f0cf7ec29fb0dc84b4d90
-
SHA1
b9bfe67a4df466960f8bcf7602f9765bab2068b4
-
SHA256
c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db
-
SHA512
6348a457dab60f2dc4cbc1cca36cf89e9f9b9e08da20879b7910329c49cb214532522385b2634e973eb27845896dee3782a79aa475818724ddec5ac4c0635df5
-
SSDEEP
12288:ExREUttQ7xmH7INep10j6oCGHsMtf8GPuxvQirSgx:ETtta8bHLI6FGH9mGPYYirSgx
Score10/10-
Detect Xworm Payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables packed with SmartAssembly
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-