Overview
overview
10Static
static
10fr2nnk.exe
windows10-1703-x64
10fr2nnk.exe
windows7-x64
10fr2nnk.exe
windows10-2004-x64
10fr2nnk.exe
windows11-21h2-x64
10grab.exe
windows10-1703-x64
10grab.exe
windows7-x64
7grab.exe
windows10-2004-x64
8grab.exe
windows11-21h2-x64
8m2zen.exe
windows10-1703-x64
7m2zen.exe
windows7-x64
7m2zen.exe
windows10-2004-x64
7m2zen.exe
windows11-21h2-x64
7winhlp32.exe
windows10-1703-x64
10winhlp32.exe
windows7-x64
10winhlp32.exe
windows10-2004-x64
10winhlp32.exe
windows11-21h2-x64
10General
-
Target
Desktop.rar
-
Size
7.7MB
-
Sample
240511-lwjxdsed84
-
MD5
9cc6e589dbec3c5a5c23d5899737167d
-
SHA1
1006e9353adfc58748d50affd780a6d158b97264
-
SHA256
1cf4d4852822a36a9c57c64e0a4a7c14c27751b448910f841e0733f586239814
-
SHA512
3181b2306583d01bb6e7b6d43f9bd22817d10162a0a9d6d6e99f0a1d6b30af82db3027f4e21075e18d51b1425d27693f3ee99e00ccba349341f47b60600986c3
-
SSDEEP
196608:0N8YGgYSzLbi79iF7vzUCADNX+03hVWcVRzZ8ri:9HgYSO67LeNXZLPjt8ri
Behavioral task
behavioral1
Sample
fr2nnk.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
fr2nnk.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
fr2nnk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
fr2nnk.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
grab.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
grab.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
grab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
grab.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
m2zen.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
m2zen.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
m2zen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
m2zen.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
winhlp32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
winhlp32.exe
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
winhlp32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
winhlp32.exe
Resource
win11-20240419-en
Malware Config
Extracted
xworm
3.0
else-movers.gl.at.ply.gg:28764
147.185.221.18:41012
iXKagAiYnmlygFVn
-
Install_directory
%LocalAppData%
-
install_file
USB.exe
Targets
-
-
Target
fr2nnk.ex
-
Size
32KB
-
MD5
8d8bb72d313438d850c0fd079314e867
-
SHA1
7c3adc8b21b1404e506af0ba332a84f50f502038
-
SHA256
17ed10cc2d0e8a27b3823d7fdbe56a8a126e6b89f104e217d6d569fdfd88a679
-
SHA512
ed08efba52b9dcbf132e02a174e3526bd343145801367570d8bceac1a156582d553019a6e0df25afbacf620fc0d9c7543f0b52696fefb658a6060cc6ceddac49
-
SSDEEP
768:P1Xm1TliVBx7XDH4tyIJ8phhFyr9UBOjhe2Qx8:P1XmplgXHEJoFY9UBOjTQx8
Score10/10-
Detect Xworm Payload
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
grab.ex
-
Size
7.5MB
-
MD5
553d236d2a6a0a4ca78641f9a932ecaa
-
SHA1
3b0354f24b67f16efd93afcb95540886ef091490
-
SHA256
5ec487769f184e246bef6dc014df3eed2193d22c7887b0adedc4bb69299f8cf4
-
SHA512
e575738994a46704f14d44b9e38b3f9b67f2d507eb7fce7ada95b6dfe5697b783137de20dc88004f5fae964ffbcd47880447d6b07c2024353c7f926054333bc6
-
SSDEEP
196608:FyQsJbT/9bvLz3S1bA32O5iJdYW0+S5/Ukgdv:uJbTlj3S1bO2g8c+Si5
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
m2zen
-
Size
210KB
-
MD5
3ae919d27d1e034cdcd8825e6f439397
-
SHA1
e35e951c0e892e3213088766c80050f5ce4c88b2
-
SHA256
f227037997a514d0b16dfc8e02dfc522ba409768f3c2c5faba127762851a77ca
-
SHA512
f5a1969770c79f8c5abb313e11c445e5d135b8667a75aa407ccbbff69d02a22c9ac47db0d3e4f7238f4ba3fe1c0d57290904464802e4ee571c594e6075bb2921
-
SSDEEP
6144:2vyF8JOSSS/jEuVKmRo8J7RoxkAugtddd/uU2Nkyb5ZgFgvcjXCb:2w8J9LvWddmUaZzvcjW
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
winhlp32.ex
-
Size
205KB
-
MD5
a83dc22ef14c6b5d96aaee00b10a4973
-
SHA1
ef84a5e12797487e7a4c1acaa9f783eda6cc77d5
-
SHA256
143e319ba8ca646021e2c90acc56ebb035612146b5c8c128214da52b1386e68d
-
SHA512
0662b2fb69f781f53333c71c3f6abbb581165457662c1f6667568b07828ee4b7b056caaff7dd1c1b857bc4bcf12743eae3489de2be426035498a82bd0caaeccc
-
SSDEEP
6144:y2q1XI3ttUUcmIN1EAr4SeBid/eedR19:lq143cUcB1pzP1Xd
Score10/10-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-