General

  • Target

    image_logger.bat

  • Size

    304KB

  • Sample

    240531-vqhxksff85

  • MD5

    4e4f69a7c3eb1df655359c62b7d8f634

  • SHA1

    abcd84d9bc4c4e469bda80f9d2b09fd937f1c8af

  • SHA256

    7905527e602b2147d25e7d1698c70a408bd0d94aa539f347e41c070e157feee0

  • SHA512

    c7b50f98f05fd92cd6bc4a22d654662703f142c8e20211b43c59f92d1a90a5e429aecbed5406754ffa31ce5a96830965e60217333750692faafe4792991ec607

  • SSDEEP

    6144:JkHMq6C+74DLOM0jpXiGnZWckDCEsG9xaSaCyk0jKA3DvDF7ei:JkHMMDLXUVidckD/59x57e3DvDhei

Malware Config

Extracted

Family

xworm

C2

movie-buddy.gl.at.ply.gg:40572

Attributes
  • Install_directory

    %Public%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      image_logger.bat

    • Size

      304KB

    • MD5

      4e4f69a7c3eb1df655359c62b7d8f634

    • SHA1

      abcd84d9bc4c4e469bda80f9d2b09fd937f1c8af

    • SHA256

      7905527e602b2147d25e7d1698c70a408bd0d94aa539f347e41c070e157feee0

    • SHA512

      c7b50f98f05fd92cd6bc4a22d654662703f142c8e20211b43c59f92d1a90a5e429aecbed5406754ffa31ce5a96830965e60217333750692faafe4792991ec607

    • SSDEEP

      6144:JkHMq6C+74DLOM0jpXiGnZWckDCEsG9xaSaCyk0jKA3DvDF7ei:JkHMMDLXUVidckD/59x57e3DvDhei

    • Detect Xworm Payload

    • Modifies firewall policy service

    • Modifies security service

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks