General
-
Target
sus_protected.exe
-
Size
105KB
-
Sample
240315-bveaeafc32
-
MD5
2bdf24dce352606a0f2242f8270bd824
-
SHA1
15a49cf15a7145452d4f5a5f4ac473e80fe13af8
-
SHA256
f730bbdf76ecc7e6a3cbc22516b2f66e6ce1bc0ff79f86fb651a9caa9020dba2
-
SHA512
2d4ebaa1259204d7ff8ace8d28173b7df2b81bce81fb9d10d2d911488042499c6549c9895f7ff37c51bbd19b465b719a768706b570d1127d1c1e76a04508c348
-
SSDEEP
3072:A89pI4WuF+2BCyRf2aQw9X/z4bXCTrdft6ozGiXobQzB:AUWXafcw9/z4bi
Static task
static1
Behavioral task
behavioral1
Sample
sus_protected.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
sus_protected.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
sus_protected.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
sus_protected.exe
Resource
win11-20240221-en
Malware Config
Extracted
xworm
hai1723rat-60039.portmap.io:60039
Targets
-
-
Target
sus_protected.exe
-
Size
105KB
-
MD5
2bdf24dce352606a0f2242f8270bd824
-
SHA1
15a49cf15a7145452d4f5a5f4ac473e80fe13af8
-
SHA256
f730bbdf76ecc7e6a3cbc22516b2f66e6ce1bc0ff79f86fb651a9caa9020dba2
-
SHA512
2d4ebaa1259204d7ff8ace8d28173b7df2b81bce81fb9d10d2d911488042499c6549c9895f7ff37c51bbd19b465b719a768706b570d1127d1c1e76a04508c348
-
SSDEEP
3072:A89pI4WuF+2BCyRf2aQw9X/z4bXCTrdft6ozGiXobQzB:AUWXafcw9/z4bi
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
StormKitty payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-