General
-
Target
NameTag_Mod.dll
-
Size
65KB
-
Sample
230804-drdktahb84
-
MD5
6a8bb5dc6693d1cc59b1354346e14c32
-
SHA1
353fb6d921da3787dbce66580a569400c00f8d08
-
SHA256
e38e93ce4d34f2f83b0a07f5ebc7e14e15aad707da51237089c47b68fc5894d1
-
SHA512
5280cd48079697ee476e55f0a008e5623d50de055b70fb25faf108b9b580fe22dbccb0edb89d5cf52fb540fb2f2b8239b5fcba9c6a3c10c21fabd400842b3809
-
SSDEEP
1536:jF07uGyNJ9yYvqUGUsg1PDYHYRad1zXlD:xuuTNJCMDON1zVD
Static task
static1
Behavioral task
behavioral1
Sample
NameTag_Mod.dll
Resource
win7-20230712-en
Malware Config
Extracted
xworm
127.0.0.1:7000
QzAhoVCMVTYlhtN9
-
install_file
USB.exe
Targets
-
-
Target
NameTag_Mod.dll
-
Size
65KB
-
MD5
6a8bb5dc6693d1cc59b1354346e14c32
-
SHA1
353fb6d921da3787dbce66580a569400c00f8d08
-
SHA256
e38e93ce4d34f2f83b0a07f5ebc7e14e15aad707da51237089c47b68fc5894d1
-
SHA512
5280cd48079697ee476e55f0a008e5623d50de055b70fb25faf108b9b580fe22dbccb0edb89d5cf52fb540fb2f2b8239b5fcba9c6a3c10c21fabd400842b3809
-
SSDEEP
1536:jF07uGyNJ9yYvqUGUsg1PDYHYRad1zXlD:xuuTNJCMDON1zVD
-
Disables RegEdit via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1