General
-
Target
Dropper (2).exe
-
Size
41.9MB
-
Sample
240622-fzcplatfmj
-
MD5
babd6786b56da7569147d78883143eab
-
SHA1
ed9a28e3e3f992b7d5839c5ea1588bfcdaab9667
-
SHA256
d96909b8ed210da6dbff1b6c72edfcb6136a6d67428594e0a9dac2a172f30228
-
SHA512
feb907fa8c721ab579398fc6183a5e77cd8302fcd46a1f0de822ea0fc3362c5e78419479007dafdb2563d957eab33d27b238cdb74de0d823bec28a5ef874e329
-
SSDEEP
98304:bMc/TKslCQjGM+iG1+vuerpKE889ViYBO5GRt8M1D1Nq6pVwRJmUiyOfW:ocOsfje1+vuHET6YHRt8w1nwmUge
Static task
static1
Behavioral task
behavioral1
Sample
Dropper (2).exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Dropper (2).exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Targets
-
-
Target
Dropper (2).exe
-
Size
41.9MB
-
MD5
babd6786b56da7569147d78883143eab
-
SHA1
ed9a28e3e3f992b7d5839c5ea1588bfcdaab9667
-
SHA256
d96909b8ed210da6dbff1b6c72edfcb6136a6d67428594e0a9dac2a172f30228
-
SHA512
feb907fa8c721ab579398fc6183a5e77cd8302fcd46a1f0de822ea0fc3362c5e78419479007dafdb2563d957eab33d27b238cdb74de0d823bec28a5ef874e329
-
SSDEEP
98304:bMc/TKslCQjGM+iG1+vuerpKE889ViYBO5GRt8M1D1Nq6pVwRJmUiyOfW:ocOsfje1+vuHET6YHRt8w1nwmUge
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1