General
-
Target
Warrior.exe
-
Size
3.0MB
-
Sample
240428-2nk3gsba52
-
MD5
77af0ed58685722c2f9596fed1e5bd84
-
SHA1
0a09622ffbc63932f11af84934d256d5e790ffeb
-
SHA256
0545c17e579fc2df5185855e51425ec4d32da26075c02a0cf1af0221aa9b9a18
-
SHA512
e557de1d3a4115276520ed5775c7a6fb5688cf40021b62ed5243c03783d1ad09722190f0234006c16cb9978982541c4eabd6ffefbfc1d063d341d4cf620ff140
-
SSDEEP
3072:XVbxrc9pqjTrUWHdkxq+G3DmWuQk/moeRiR85MpMj:FbVQgzHkAyWunbje
Static task
static1
Malware Config
Extracted
xworm
accommodation-confidentiality.gl.at.ply.gg:19058
-
Install_directory
%AppData%
-
install_file
svhost.exe
Targets
-
-
Target
Warrior.exe
-
Size
3.0MB
-
MD5
77af0ed58685722c2f9596fed1e5bd84
-
SHA1
0a09622ffbc63932f11af84934d256d5e790ffeb
-
SHA256
0545c17e579fc2df5185855e51425ec4d32da26075c02a0cf1af0221aa9b9a18
-
SHA512
e557de1d3a4115276520ed5775c7a6fb5688cf40021b62ed5243c03783d1ad09722190f0234006c16cb9978982541c4eabd6ffefbfc1d063d341d4cf620ff140
-
SSDEEP
3072:XVbxrc9pqjTrUWHdkxq+G3DmWuQk/moeRiR85MpMj:FbVQgzHkAyWunbje
-
Detect Umbral payload
-
Detect Xworm Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1