General
-
Target
Cryptic Release V1.4.exe
-
Size
8.5MB
-
Sample
240621-npklfs1hpn
-
MD5
3be927d08df2f452185bc35ae5709617
-
SHA1
e287ba2e481f3768678317e87099afdef4186294
-
SHA256
f99d78317fe908e8f863563f5b8662c21185dd256120b534dd3a3a842557fc3c
-
SHA512
89490ed120cb8f73359a0a8f2b47957fcd55631f6b61e8ee9a7363d7792ecb3cb012270071949fd903b73792b4c83adc331dd3a02998c8789bd6198b95ee4a5f
-
SSDEEP
196608:BB8BYmuJfX5aL0o/gGuwDfsBJcXIsEIKcmc3FzVT9tdVX:B2YmqfX5yIFwATcXIsGVc1zVTjdV
Static task
static1
Behavioral task
behavioral1
Sample
Cryptic Release V1.4.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
91.92.241.69:5555
-
Install_directory
%ProgramData%
-
install_file
Windows Runtime.exe
Targets
-
-
Target
Cryptic Release V1.4.exe
-
Size
8.5MB
-
MD5
3be927d08df2f452185bc35ae5709617
-
SHA1
e287ba2e481f3768678317e87099afdef4186294
-
SHA256
f99d78317fe908e8f863563f5b8662c21185dd256120b534dd3a3a842557fc3c
-
SHA512
89490ed120cb8f73359a0a8f2b47957fcd55631f6b61e8ee9a7363d7792ecb3cb012270071949fd903b73792b4c83adc331dd3a02998c8789bd6198b95ee4a5f
-
SSDEEP
196608:BB8BYmuJfX5aL0o/gGuwDfsBJcXIsEIKcmc3FzVT9tdVX:B2YmqfX5yIFwATcXIsGVc1zVTjdV
-
Detect Xworm Payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1