General
-
Target
LYM products new order PO 20250200099 LHG on.pif.exe
-
Size
6KB
-
Sample
250323-21p7zayyfw
-
MD5
087bad0a8e51d9b9c207ce0ab1078fbd
-
SHA1
1d7faf39196449e3149c15ce6282f3c3d52da8f7
-
SHA256
abd033ee116082febb4bb391ee36cde8af7b67643a41750bb79ea66bc327ee78
-
SHA512
1df49fdbb7d17c16e30575fa322d2d039fb2ed9624e8ebc7ffc712be16e513f4c9bbb8bd70da8bca20e16e3fc2fbeebf30c21bf293bc1b7ab254e01c221e3e75
-
SSDEEP
96:cFGNMBB2qTdc/4wnas4hyj3tnjqC9XbYtNgV1kPzNt:FqBB2qTdc/bQhy39j5MG6
Static task
static1
Behavioral task
behavioral1
Sample
LYM products new order PO 20250200099 LHG on.pif.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
5.0
bin12.ydns.eu:4050
bin14.ydns.eu:4050
kingsbkup1.ydns.eu:4050
smfcs1.ydns.eu:4050
smfcs3.ydns.eu:4050
8e2oXK285cheLv6o
-
install_file
USB.exe
Targets
-
-
Target
LYM products new order PO 20250200099 LHG on.pif.exe
-
Size
6KB
-
MD5
087bad0a8e51d9b9c207ce0ab1078fbd
-
SHA1
1d7faf39196449e3149c15ce6282f3c3d52da8f7
-
SHA256
abd033ee116082febb4bb391ee36cde8af7b67643a41750bb79ea66bc327ee78
-
SHA512
1df49fdbb7d17c16e30575fa322d2d039fb2ed9624e8ebc7ffc712be16e513f4c9bbb8bd70da8bca20e16e3fc2fbeebf30c21bf293bc1b7ab254e01c221e3e75
-
SSDEEP
96:cFGNMBB2qTdc/4wnas4hyj3tnjqC9XbYtNgV1kPzNt:FqBB2qTdc/bQhy39j5MG6
-
Detect Xworm Payload
-
StormKitty payload
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1