General
-
Target
OneDrive_Security_notification.exe
-
Size
8.2MB
-
Sample
241216-rcfcrasrdm
-
MD5
630470e421acd1df856832d7a12b4853
-
SHA1
72d9de36902b6bb8e7b0150c2371a0af341302c3
-
SHA256
c2eb68974fb982502a2f497826f922563d90dfdf32725b44613aa1f957c8d0fd
-
SHA512
6fa9f3887613ded84e53b655f84ca245483649e088e956289f15f9b5c3ad91271c395038ff39ec2dcc23415ab41e8bf8d2514f738b1a470c2e58e92d7763be41
-
SSDEEP
196608:+sYqGogjHX3kH/6PJzxUJNuuSjlSTm0oon51jfHxMOpa+Sq:1sogjnQ61xQYxSTm0rHiWa+S
Static task
static1
Behavioral task
behavioral1
Sample
OneDrive_Security_notification.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
OneDrive_Security_notification.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
3.1
includes-ear.at.ply.gg:19669
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5946256736:AAHO4CrAGp_CXtFIt3jYlFOdvAaqBfQV7Qo/sendMessage?chat_id=5319807265
Extracted
quasar
1.3.0.0
update64
site-translations.at.ply.gg:19855
QSR_MUTEX_WJxUvmtxNYm7LGjN3t
-
encryption_key
32vt5jMLvcowHkjxpyew
-
install_name
update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
update
-
subdirectory
SubDir
Targets
-
-
Target
OneDrive_Security_notification.exe
-
Size
8.2MB
-
MD5
630470e421acd1df856832d7a12b4853
-
SHA1
72d9de36902b6bb8e7b0150c2371a0af341302c3
-
SHA256
c2eb68974fb982502a2f497826f922563d90dfdf32725b44613aa1f957c8d0fd
-
SHA512
6fa9f3887613ded84e53b655f84ca245483649e088e956289f15f9b5c3ad91271c395038ff39ec2dcc23415ab41e8bf8d2514f738b1a470c2e58e92d7763be41
-
SSDEEP
196608:+sYqGogjHX3kH/6PJzxUJNuuSjlSTm0oon51jfHxMOpa+Sq:1sogjnQ61xQYxSTm0rHiWa+S
-
Detect Xworm Payload
-
Njrat family
-
Quasar family
-
Quasar payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3