General
-
Target
Electron V3.exe
-
Size
7.1MB
-
Sample
240524-nda8mseh2z
-
MD5
fe184c85f884ef9a8f5bc56af80073b3
-
SHA1
3db462e1f2ed4d9c2bf95dad3aa1c32b395a679b
-
SHA256
b15e79c502e39a0502c37f4e087ba614b096b0ecd9c39aeebba9415941350eac
-
SHA512
c4096ae3f65a215c756972688144fed9bc3ed4ca7155558ba31303df72908df524de982a2d6650e555c527589c40d251073140341526c30bfc57bc628b625684
-
SSDEEP
196608:Z2B5I6msTfYsxOLDzUQzz02E7FGpgzmEWSyRy/16aGbl:8W6tDYicDzLz02AzqCm2al
Static task
static1
Malware Config
Extracted
xworm
courses-disney.gl.at.ply.gg:21335
127.0.0.1:21335
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage?chat_id=809478226
Targets
-
-
Target
Electron V3.exe
-
Size
7.1MB
-
MD5
fe184c85f884ef9a8f5bc56af80073b3
-
SHA1
3db462e1f2ed4d9c2bf95dad3aa1c32b395a679b
-
SHA256
b15e79c502e39a0502c37f4e087ba614b096b0ecd9c39aeebba9415941350eac
-
SHA512
c4096ae3f65a215c756972688144fed9bc3ed4ca7155558ba31303df72908df524de982a2d6650e555c527589c40d251073140341526c30bfc57bc628b625684
-
SSDEEP
196608:Z2B5I6msTfYsxOLDzUQzz02E7FGpgzmEWSyRy/16aGbl:8W6tDYicDzLz02AzqCm2al
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1