General
-
Target
MLClauncher.exe
-
Size
66KB
-
Sample
240529-v2kwbaca5y
-
MD5
23e7e5af720dfc90b86294a8a7800c76
-
SHA1
e674bd73e3c9a496c9b5422f43874fcfc9f5510c
-
SHA256
1810fc024d4da8c805bdf76c8152ec68615c33676c4bee025d889de89af3724f
-
SHA512
0bb3731bfd6601b9b903ce93aa3fc493d063d5ddb20b7e2277808205bcde96f5cc7dafc94caf59ec5e7d0b8a44aa6b739cc6f326d29aaa03c3b85c090cab3681
-
SSDEEP
1536:rttwy1I4PKiFM8tBb1L1JmX2npd6KnXOUVBCIu9BE:BBRPXb1L22pDXOUPCpBE
Behavioral task
behavioral1
Sample
MLClauncher.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
MLClauncher.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
127.0.0.1:2832
20.ip.gl.ply.gg:2832
financial-merchandise.gl.at.ply.gg:64299
<Xwormmm>:1
-
Install_directory
%Temp%
-
install_file
svhost.exe
Targets
-
-
Target
MLClauncher.exe
-
Size
66KB
-
MD5
23e7e5af720dfc90b86294a8a7800c76
-
SHA1
e674bd73e3c9a496c9b5422f43874fcfc9f5510c
-
SHA256
1810fc024d4da8c805bdf76c8152ec68615c33676c4bee025d889de89af3724f
-
SHA512
0bb3731bfd6601b9b903ce93aa3fc493d063d5ddb20b7e2277808205bcde96f5cc7dafc94caf59ec5e7d0b8a44aa6b739cc6f326d29aaa03c3b85c090cab3681
-
SSDEEP
1536:rttwy1I4PKiFM8tBb1L1JmX2npd6KnXOUVBCIu9BE:BBRPXb1L22pDXOUPCpBE
-
Detect Xworm Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
StormKitty payload
-
ModiLoader Second Stage
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Installed Components in the registry
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Pre-OS Boot
1Bootkit
1