General
-
Target
finished.exe
-
Size
11.4MB
-
Sample
240523-v739vaag4s
-
MD5
e26d5747c9b0a6f9c45e8b720b356cd0
-
SHA1
4978f157cf943ad47ce63a4028a5c0419cd61fae
-
SHA256
6ced8dbb0a2a2839e41d540c041d0146cb66327174aaa19cbd4eebfb8b306a0b
-
SHA512
b41d3528f8bba081864b1290c02252e68108bc3dc195921dd0e89fe2d1d700c11e056562cac8f1c4ccddf1db33a49f8e804ec9278b6555a8417003a3eb875a49
-
SSDEEP
196608:WojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHcW2qfhiX79/+PODgXaWggH/:Work6UDwgYx8V53Rc+SHcW2wiZKXx
Static task
static1
Malware Config
Extracted
xworm
engine-romania.gl.at.ply.gg:37581
-
Install_directory
%AppData%
-
install_file
discord.exe
Targets
-
-
Target
finished.exe
-
Size
11.4MB
-
MD5
e26d5747c9b0a6f9c45e8b720b356cd0
-
SHA1
4978f157cf943ad47ce63a4028a5c0419cd61fae
-
SHA256
6ced8dbb0a2a2839e41d540c041d0146cb66327174aaa19cbd4eebfb8b306a0b
-
SHA512
b41d3528f8bba081864b1290c02252e68108bc3dc195921dd0e89fe2d1d700c11e056562cac8f1c4ccddf1db33a49f8e804ec9278b6555a8417003a3eb875a49
-
SSDEEP
196608:WojZ9Dxm6UDwH/IxTWxQBxv5gK8NmjeR+SHcW2qfhiX79/+PODgXaWggH/:Work6UDwgYx8V53Rc+SHcW2wiZKXx
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1