General
-
Target
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6
-
Size
291KB
-
Sample
240910-sfzq8syhnn
-
MD5
37992d4e5349d0a9275c8d1fe0290591
-
SHA1
2ea1bb73a8459672c7f8a1133c4edc8040c2c63c
-
SHA256
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6
-
SHA512
dc2bd50f573d806c88eba2f599476d431ad3b2c64cf14e058e6df53edd2383d2a8b18e99aeae14af6fbbdec7f14c4403ced2883cb20a93c77515b1ed5fae7d88
-
SSDEEP
6144:rTiaVHkOlGtyUFB3XjdOwkL1xOJ9NLzof6TUIa1bq/KMw:rXJUFB3zEjLPDf6J
Static task
static1
Behavioral task
behavioral1
Sample
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
xworm
127.0.0.1:19121
goods-flex.gl.at.ply.gg:19121
-
Install_directory
%AppData%
-
install_file
GoogleUpdateUA.exe
Extracted
phemedrone
https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument
Targets
-
-
Target
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6
-
Size
291KB
-
MD5
37992d4e5349d0a9275c8d1fe0290591
-
SHA1
2ea1bb73a8459672c7f8a1133c4edc8040c2c63c
-
SHA256
35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6
-
SHA512
dc2bd50f573d806c88eba2f599476d431ad3b2c64cf14e058e6df53edd2383d2a8b18e99aeae14af6fbbdec7f14c4403ced2883cb20a93c77515b1ed5fae7d88
-
SSDEEP
6144:rTiaVHkOlGtyUFB3XjdOwkL1xOJ9NLzof6TUIa1bq/KMw:rXJUFB3zEjLPDf6J
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1