General
-
Target
WizClient.exe
-
Size
74KB
-
Sample
241031-drxzfsyepj
-
MD5
69cad671f60367927329bbd20f91bed7
-
SHA1
9aa6c82982591ebc0c64cc94d2efaac7378bde86
-
SHA256
dc94e48f4fd4cdf8049e6ac2ea9b65df93936015c50e26d0c8d6b2217e7d539b
-
SHA512
bb4a49b2eada56d9d9c0fd7b7464447460e7bb84c6416f632295197562e65a456d33099799d3083684c45150ad362d036ee0eb843745272d5accab5ff9a525f4
-
SSDEEP
1536:ObGA+5D6BRZ2Ka+QRPPN7cmKuZbN5NTEkIG6QOj89RnXqDnnl:ObGpsBRZ4d9bZbN3EAOA9RnXqLl
Behavioral task
behavioral1
Sample
WizClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
WizClient.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
141.98.252.138.224:5552
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
WizClient.exe
-
Size
74KB
-
MD5
69cad671f60367927329bbd20f91bed7
-
SHA1
9aa6c82982591ebc0c64cc94d2efaac7378bde86
-
SHA256
dc94e48f4fd4cdf8049e6ac2ea9b65df93936015c50e26d0c8d6b2217e7d539b
-
SHA512
bb4a49b2eada56d9d9c0fd7b7464447460e7bb84c6416f632295197562e65a456d33099799d3083684c45150ad362d036ee0eb843745272d5accab5ff9a525f4
-
SSDEEP
1536:ObGA+5D6BRZ2Ka+QRPPN7cmKuZbN5NTEkIG6QOj89RnXqDnnl:ObGpsBRZ4d9bZbN3EAOA9RnXqLl
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1