General
-
Target
Op menu.exe
-
Size
39KB
-
Sample
240621-mjg3pswcra
-
MD5
3289f3423a4d15e142fe765710bf8580
-
SHA1
155fa5b3a1e083f9175d3d8c8b2441f06eaadc17
-
SHA256
a73192efa9195222589d66b2e229f4e5bfe6d0f5cbbc0f2a582cd74e1fcc8d78
-
SHA512
3a09102eabaf035e78b34c9fac48362a4ca13c5b643ee799ede64eb4dbee8e918c2a51e298e9d5c03f8a45c1e692f5bf439307460107b9d8e06ffc80547b1987
-
SSDEEP
768:n06VXEkRmv/OevQZ944KYrF0Kf9AFWP993z6dOMhdQs6MR:0uEkIXOhO00pFa93z6dOMHlhR
Behavioral task
behavioral1
Sample
Op menu.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Op menu.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
znvHMOP3GC3AYtf0
-
Install_directory
%AppData%
-
install_file
Github Update.exe
-
pastebin_url
https://pastebin.com/raw/2N4dpuHG
Targets
-
-
Target
Op menu.exe
-
Size
39KB
-
MD5
3289f3423a4d15e142fe765710bf8580
-
SHA1
155fa5b3a1e083f9175d3d8c8b2441f06eaadc17
-
SHA256
a73192efa9195222589d66b2e229f4e5bfe6d0f5cbbc0f2a582cd74e1fcc8d78
-
SHA512
3a09102eabaf035e78b34c9fac48362a4ca13c5b643ee799ede64eb4dbee8e918c2a51e298e9d5c03f8a45c1e692f5bf439307460107b9d8e06ffc80547b1987
-
SSDEEP
768:n06VXEkRmv/OevQZ944KYrF0Kf9AFWP993z6dOMhdQs6MR:0uEkIXOhO00pFa93z6dOMHlhR
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-