General
-
Target
VxnCleaner.exe
-
Size
236KB
-
Sample
241224-v8anxssqf1
-
MD5
077e0305b131cd52856e2064bf7524f9
-
SHA1
ab78b7583fe398137839e52797d3f618d4b56c3e
-
SHA256
a34d680823cbb7726c179591ba5a4a251e6761b20e748a7478939d9ce96bcc86
-
SHA512
e5bd89058814cafd7d174c29f5d3c24e8088a2fce080d92e2fa7b1f9e9a3a5a0fb7cc962ba3cf0be2f920bfbf3d33a7e8c962d6f7c5488e3085d1cb23d16cc6b
-
SSDEEP
6144:cz18GYHZfBQZbVGW8h18GYHZfBQZbVGW8:czJYsbkhJYsbk
Static task
static1
Behavioral task
behavioral1
Sample
VxnCleaner.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
VxnCleaner.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
side-sean.gl.at.ply.gg:37533
-
Install_directory
%ProgramData%
-
install_file
conhost.exe
Extracted
C:\Users\Admin\Documents\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Targets
-
-
Target
VxnCleaner.exe
-
Size
236KB
-
MD5
077e0305b131cd52856e2064bf7524f9
-
SHA1
ab78b7583fe398137839e52797d3f618d4b56c3e
-
SHA256
a34d680823cbb7726c179591ba5a4a251e6761b20e748a7478939d9ce96bcc86
-
SHA512
e5bd89058814cafd7d174c29f5d3c24e8088a2fce080d92e2fa7b1f9e9a3a5a0fb7cc962ba3cf0be2f920bfbf3d33a7e8c962d6f7c5488e3085d1cb23d16cc6b
-
SSDEEP
6144:cz18GYHZfBQZbVGW8h18GYHZfBQZbVGW8:czJYsbkhJYsbk
-
Detect Xworm Payload
-
Wannacry family
-
Xworm family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1