General

  • Target

    EFCR_TA_695480 - FCR+E-INVOICE SO 7057 - CARGO READY DATE 2024629.PDF.scr.exe

  • Size

    548KB

  • Sample

    240621-lr7gwsvdrg

  • MD5

    41dc167b623d1e1d03a4eff1763774ad

  • SHA1

    c3b4c41bd9069acaff2816ddc6a99988c9eefea8

  • SHA256

    7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef

  • SHA512

    4aa6f5d3991fd6e98f1df2317fcb9d4e66b43b820c023f83d721d57550ece27403f2612cf23804baeccd3a67f76ad46838c46fa2e3910d6c7f73f2b5de6d07f8

  • SSDEEP

    12288:04L+hETMUnJEz70ABnr9vQ0nqSbBZF70hiolTm+k:3lEz70YWKB8Pl

Malware Config

Extracted

Family

xworm

C2

104.250.180.178:5414

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      EFCR_TA_695480 - FCR+E-INVOICE SO 7057 - CARGO READY DATE 2024629.PDF.scr.exe

    • Size

      548KB

    • MD5

      41dc167b623d1e1d03a4eff1763774ad

    • SHA1

      c3b4c41bd9069acaff2816ddc6a99988c9eefea8

    • SHA256

      7770eddde9a0ecf43aaef22995fa8a52dfa074a4f27cf65e38479087bc7138ef

    • SHA512

      4aa6f5d3991fd6e98f1df2317fcb9d4e66b43b820c023f83d721d57550ece27403f2612cf23804baeccd3a67f76ad46838c46fa2e3910d6c7f73f2b5de6d07f8

    • SSDEEP

      12288:04L+hETMUnJEz70ABnr9vQ0nqSbBZF70hiolTm+k:3lEz70YWKB8Pl

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks