General
-
Target
SchoolGcChatRoom(MadeByLogan).exe
-
Size
719KB
-
Sample
240527-pmn2jadb44
-
MD5
ebc3d261ef9af94302fa7007e95a8b8d
-
SHA1
dc91c2baa462716540aa35c1509e1be0028b52f2
-
SHA256
c67516b52e22d90c2f7eaf23c1ec7dfe69c21e6de1496fb2eda6d9b424bbfa2d
-
SHA512
44313719cff1c6c8229ea6e510dce7151664de4d9c6eeeaa2d0b4bf551314c6000c88a74889ed770294a4c8e4f4526c88ded4d85438527b28fa5eaa09279a3d7
-
SSDEEP
12288:pyTgg8qjISyNN6OUuTaK2u5t55CZ8HGCExPWhcBW22qYrcUMrwfjr2lE6iy:p4B1qNXUuTaqAgHuWuB32qYoU+wfjrN6
Static task
static1
Behavioral task
behavioral1
Sample
SchoolGcChatRoom(MadeByLogan).exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
SchoolGcChatRoom(MadeByLogan).exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
auto-london.gl.at.ply.gg:51655
-
Install_directory
%Public%
-
install_file
USB.exe
Targets
-
-
Target
SchoolGcChatRoom(MadeByLogan).exe
-
Size
719KB
-
MD5
ebc3d261ef9af94302fa7007e95a8b8d
-
SHA1
dc91c2baa462716540aa35c1509e1be0028b52f2
-
SHA256
c67516b52e22d90c2f7eaf23c1ec7dfe69c21e6de1496fb2eda6d9b424bbfa2d
-
SHA512
44313719cff1c6c8229ea6e510dce7151664de4d9c6eeeaa2d0b4bf551314c6000c88a74889ed770294a4c8e4f4526c88ded4d85438527b28fa5eaa09279a3d7
-
SSDEEP
12288:pyTgg8qjISyNN6OUuTaK2u5t55CZ8HGCExPWhcBW22qYrcUMrwfjr2lE6iy:p4B1qNXUuTaqAgHuWuB32qYoU+wfjrN6
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1