General
-
Target
Devs Camera Mod.bat
-
Size
320KB
-
Sample
240904-e1th3awejc
-
MD5
58507a2c740eb9251ee878ce7f25b72a
-
SHA1
d9702407c6390f65e5cff7c0c331352f5bfc52b8
-
SHA256
b1e02899752b3e45311d824e70bed91652fcfae6ad24e42a8cd91741def5af92
-
SHA512
be89349449467532f042789601dca41356944f9ae899c7a7725bc077608c37afc35a43cac9b8d92db437f1eae3da533dcc3cc1a39e8437dacd75842e5b5f9131
-
SSDEEP
6144:Qs2zVlFK4D5IHQgPJngBrG6VGVLcD+YIxMXWonO:QPxnGs+5cD1I6XbO
Static task
static1
Behavioral task
behavioral1
Sample
Devs Camera Mod.bat
Resource
win7-20240708-en
Malware Config
Targets
-
-
Target
Devs Camera Mod.bat
-
Size
320KB
-
MD5
58507a2c740eb9251ee878ce7f25b72a
-
SHA1
d9702407c6390f65e5cff7c0c331352f5bfc52b8
-
SHA256
b1e02899752b3e45311d824e70bed91652fcfae6ad24e42a8cd91741def5af92
-
SHA512
be89349449467532f042789601dca41356944f9ae899c7a7725bc077608c37afc35a43cac9b8d92db437f1eae3da533dcc3cc1a39e8437dacd75842e5b5f9131
-
SSDEEP
6144:Qs2zVlFK4D5IHQgPJngBrG6VGVLcD+YIxMXWonO:QPxnGs+5cD1I6XbO
-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3