General
-
Target
launcher.exe
-
Size
121KB
-
Sample
240916-tp8aeaxbke
-
MD5
8356aac5412d5225bf9821d741134fa8
-
SHA1
9a511abb8f1ede32717302c52ef85b16d1f77702
-
SHA256
b824428a19f5ea337430fcd7ca5cfaa67d58a5c27e6ae3e4d5688a85f85dbbde
-
SHA512
a03f1f026ef9a08204b169091b3fc472a10c72e1057ebc706d47ec0d9528a51d2284e6b0a65dfcd0926a9b5ecc1bc64aa2912362bd638ac643c54f64fce9675c
-
SSDEEP
3072:Tkwn4I8IB14Lf5KoiWoS6vKWxVvZqBWHj0MW1Di/orr9lLsy:Ywx8emLf5K/nSiKW3vj0MW1WQ9lL
Static task
static1
Behavioral task
behavioral1
Sample
launcher.exe
Resource
win7-20240903-en
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument
Extracted
gurcu
https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendMessage?chat_id=7184004788
Targets
-
-
Target
launcher.exe
-
Size
121KB
-
MD5
8356aac5412d5225bf9821d741134fa8
-
SHA1
9a511abb8f1ede32717302c52ef85b16d1f77702
-
SHA256
b824428a19f5ea337430fcd7ca5cfaa67d58a5c27e6ae3e4d5688a85f85dbbde
-
SHA512
a03f1f026ef9a08204b169091b3fc472a10c72e1057ebc706d47ec0d9528a51d2284e6b0a65dfcd0926a9b5ecc1bc64aa2912362bd638ac643c54f64fce9675c
-
SSDEEP
3072:Tkwn4I8IB14Lf5KoiWoS6vKWxVvZqBWHj0MW1Di/orr9lLsy:Ywx8emLf5K/nSiKW3vj0MW1WQ9lL
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3