General
-
Target
EQ_AW24 New Order Request.xlx.exe
-
Size
656KB
-
Sample
241105-rfhbhsvmgm
-
MD5
ca2ed1b927f4bee1cd1f24bb19f4c0e1
-
SHA1
d1b7dc1cc0412301c61660d0d5cb02d20a6aa77d
-
SHA256
030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b
-
SHA512
153939e1eeaeb2e3d4fc9f487ce039fde403a18ea94466c55c53ce5e00aefa59ae3324c03687c1794c7d321da9b2dced1bca2a658d5da54e0acb76dfff4d3da7
-
SSDEEP
12288:cT02YrvZq2mPKxG3sfYFwJH9ZzkwGQWOsKWLCp6X9uruAK5Gi:cTbYdqfKxG3swyVk7QWOhW+p6NBAWGi
Static task
static1
Behavioral task
behavioral1
Sample
EQ_AW24 New Order Request.xlx.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
EQ_AW24 New Order Request.xlx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
5.0
176.9.162.125:4060
znPInVDrQ2IiwTWB
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
EQ_AW24 New Order Request.xlx.exe
-
Size
656KB
-
MD5
ca2ed1b927f4bee1cd1f24bb19f4c0e1
-
SHA1
d1b7dc1cc0412301c61660d0d5cb02d20a6aa77d
-
SHA256
030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b
-
SHA512
153939e1eeaeb2e3d4fc9f487ce039fde403a18ea94466c55c53ce5e00aefa59ae3324c03687c1794c7d321da9b2dced1bca2a658d5da54e0acb76dfff4d3da7
-
SSDEEP
12288:cT02YrvZq2mPKxG3sfYFwJH9ZzkwGQWOsKWLCp6X9uruAK5Gi:cTbYdqfKxG3swyVk7QWOhW+p6NBAWGi
-
Detect Xworm Payload
-
StormKitty payload
-
Stormkitty family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
564bb0373067e1785cba7e4c24aab4bf
-
SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1
-
SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
-
SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
SSDEEP
192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1