General
-
Target
image_logger.exe
-
Size
63KB
-
Sample
240531-vh5rdaef6z
-
MD5
c37405e2de6f366c1480de16c092a075
-
SHA1
b17918080f881ea3e7043241fbc7933f095d29c2
-
SHA256
819b412f7423377bcdbebe09d4f81a779911a9bef50a05bf427c1033422dc197
-
SHA512
88b4c753fdb9a7263f5c9f8cb38accb9ed8418d32afcbb3dba80e4ff4e61ae4b7079a50bdee6a1dcc2a6bb878cfc5431bd6bb838f365379c2636d6713746146f
-
SSDEEP
1536:k6ZPkifrPO+M+bekX4pDAD2MQx6hXOnTzHS:73S9+bvb+aOnTTS
Behavioral task
behavioral1
Sample
image_logger.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
image_logger.exe
Resource
win11-20240426-en
Malware Config
Extracted
xworm
movie-buddy.gl.at.ply.gg:40572
-
Install_directory
%Public%
-
install_file
Runtime Broker.exe
Targets
-
-
Target
image_logger.exe
-
Size
63KB
-
MD5
c37405e2de6f366c1480de16c092a075
-
SHA1
b17918080f881ea3e7043241fbc7933f095d29c2
-
SHA256
819b412f7423377bcdbebe09d4f81a779911a9bef50a05bf427c1033422dc197
-
SHA512
88b4c753fdb9a7263f5c9f8cb38accb9ed8418d32afcbb3dba80e4ff4e61ae4b7079a50bdee6a1dcc2a6bb878cfc5431bd6bb838f365379c2636d6713746146f
-
SSDEEP
1536:k6ZPkifrPO+M+bekX4pDAD2MQx6hXOnTzHS:73S9+bvb+aOnTTS
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-