General
-
Target
EFCR_TA_695480 - FCR+E-INVOICE SO 7057 - CARGO READY DATE 2024629.PDF.scr.exe
-
Size
548KB
-
Sample
240621-lr7gwsvdrg
-
MD5
41dc167b623d1e1d03a4eff1763774ad
-
SHA1
c3b4c41bd9069acaff2816ddc6a99988c9eefea8
-
SHA256
7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef
-
SHA512
4aa6f5d3991fd6e98f1df2317fcb9d4e66b43b820c023f83d721d57550ece27403f2612cf23804baeccd3a67f76ad46838c46fa2e3910d6c7f73f2b5de6d07f8
-
SSDEEP
12288:04L+hETMUnJEz70ABnr9vQ0nqSbBZF70hiolTm+k:3lEz70YWKB8Pl
Static task
static1
Behavioral task
behavioral1
Sample
EFCR_TA_695480 - FCR+E-INVOICE SO 7057 - CARGO READY DATE 2024629.PDF.scr.exe
Resource
win7-20240221-en
Malware Config
Extracted
xworm
104.250.180.178:5414
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
EFCR_TA_695480 - FCR+E-INVOICE SO 7057 - CARGO READY DATE 2024629.PDF.scr.exe
-
Size
548KB
-
MD5
41dc167b623d1e1d03a4eff1763774ad
-
SHA1
c3b4c41bd9069acaff2816ddc6a99988c9eefea8
-
SHA256
7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef
-
SHA512
4aa6f5d3991fd6e98f1df2317fcb9d4e66b43b820c023f83d721d57550ece27403f2612cf23804baeccd3a67f76ad46838c46fa2e3910d6c7f73f2b5de6d07f8
-
SSDEEP
12288:04L+hETMUnJEz70ABnr9vQ0nqSbBZF70hiolTm+k:3lEz70YWKB8Pl
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-