General
-
Target
x69.exe
-
Size
285KB
-
Sample
250522-pcnysatjt2
-
MD5
20841606ce69632f258221219aeee09b
-
SHA1
b72918797186774598792c47b66d5857be59f576
-
SHA256
1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
-
SHA512
aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e
-
SSDEEP
6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI
Static task
static1
Behavioral task
behavioral1
Sample
x69.exe
Resource
win11-20250502-en
Malware Config
Extracted
xworm
3.1
grayhatgroupontop.zapto.org:1177
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004
Extracted
bdaejec
ddos.dnsnb8.net
Extracted
latentbot
grayhatgroupontop.zapto.org
Targets
-
-
Target
x69.exe
-
Size
285KB
-
MD5
20841606ce69632f258221219aeee09b
-
SHA1
b72918797186774598792c47b66d5857be59f576
-
SHA256
1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83
-
SHA512
aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e
-
SSDEEP
6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI
-
Bdaejec family
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Detects Bdaejec Backdoor.
Bdaejec is backdoor written in C++.
-
Latentbot family
-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm family
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
1Clear Windows Event Logs
1Modify Registry
6