General
-
Target
64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
-
Size
7.7MB
-
Sample
240711-tmzv9awgkf
-
MD5
6ca08efccb785d2b8c23c54a05930356
-
SHA1
c4de56535545a5a6555af998b2b3fbb254637625
-
SHA256
64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed
-
SHA512
8da14f29989d5c99b0335be45951e4e87dccabefccae73a8e5cf13d91e6d47fcf1408b9020a965015b15175239f6d732d8cd4b6b11e07b232386827984b77b14
-
SSDEEP
196608:p9xmKlBELQL73HTSddEVnvbG3eVvMJxOf2X6QDpTrTMA:Yf03QdEc3eJMJxOf25VT3D
Static task
static1
Behavioral task
behavioral1
Sample
64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
Resource
win7-20240704-en
Malware Config
Extracted
xworm
5.0
testarosa.duckdns.org:7110
5ZpeoOe6AtQfr6wU
-
Install_directory
%AppData%
-
install_file
Ondrive.exe
Extracted
umbral
https://discord.com/api/webhooks/1255561908631900262/FBfFOJC5RNZ6gSVwbGsinrWT1Tk0AcX2fxXrs9EMYvCvgKrDx5R4TOUhy9LGN7mz_JKs
Extracted
njrat
0.7d
HacKed
147.185.221.20:49236
6a8a3b6e5450a823d542e748a454aa4c
-
reg_key
6a8a3b6e5450a823d542e748a454aa4c
-
splitter
|'|'|
Targets
-
-
Target
64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
-
Size
7.7MB
-
MD5
6ca08efccb785d2b8c23c54a05930356
-
SHA1
c4de56535545a5a6555af998b2b3fbb254637625
-
SHA256
64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed
-
SHA512
8da14f29989d5c99b0335be45951e4e87dccabefccae73a8e5cf13d91e6d47fcf1408b9020a965015b15175239f6d732d8cd4b6b11e07b232386827984b77b14
-
SSDEEP
196608:p9xmKlBELQL73HTSddEVnvbG3eVvMJxOf2X6QDpTrTMA:Yf03QdEc3eJMJxOf25VT3D
-
Detect Umbral payload
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1