General
-
Target
multi tool.exe
-
Size
123KB
-
Sample
241017-fxt6vsxbkr
-
MD5
ef2bef29ae78302516d7ae83449a77cf
-
SHA1
6c7e8cc89c4d65bd3682e09de11456bd215f042b
-
SHA256
3d6e7e00580e1b17849dcd6c80cbe10b09b2e677deda5016c3baba36517dd462
-
SHA512
f036b16b17e90d8bcc7ea45d443d7d7fdc3b26c095f268f6d97cce31404d0e527a3e014e5650fabf3c30e3ebf0096390e547b16304abb5b4a2c015c9fb5b6694
-
SSDEEP
3072:LutfyBqcmMDSY3K/hzwKLKJPOaHGmQOR29wxTafk2i:LS+DV3K55LKZOaGq2uxWfk
Static task
static1
Malware Config
Extracted
xworm
80.76.49.114:11576
-
Install_directory
%AppData%
-
install_file
Windows Start .exe
Extracted
xworm
5.0
keep-motors.gl.at.ply.gg:2646
WuQcPA9xKpBCvpzg
-
install_file
USB.exe
Targets
-
-
Target
multi tool.exe
-
Size
123KB
-
MD5
ef2bef29ae78302516d7ae83449a77cf
-
SHA1
6c7e8cc89c4d65bd3682e09de11456bd215f042b
-
SHA256
3d6e7e00580e1b17849dcd6c80cbe10b09b2e677deda5016c3baba36517dd462
-
SHA512
f036b16b17e90d8bcc7ea45d443d7d7fdc3b26c095f268f6d97cce31404d0e527a3e014e5650fabf3c30e3ebf0096390e547b16304abb5b4a2c015c9fb5b6694
-
SSDEEP
3072:LutfyBqcmMDSY3K/hzwKLKJPOaHGmQOR29wxTafk2i:LS+DV3K55LKZOaGq2uxWfk
-
Detect Xworm Payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Modifies file permissions
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-