General
-
Target
Output.bat
-
Size
1.1MB
-
Sample
240629-yyk9fsveja
-
MD5
1897b3980473ad054ab05b0f2ced4de7
-
SHA1
a694b444dc8dd30e07f69671c3905ffb6fe13532
-
SHA256
3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036
-
SHA512
6f67fe1aca76aa0ff33ebf7f1edc4bae6b25c34c543ffa8f59220e520dea91fe92bd50681a5d3086353ef245bd28887bca93efa276ad2544dfbdbdd188ba5ee1
-
SSDEEP
24576:H9/ZDtETtFPa65VkOdET4sDgnVI4jGzwMVACzrDc:HqRcRBkwAGM
Static task
static1
Malware Config
Extracted
xworm
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Output.bat
-
Size
1.1MB
-
MD5
1897b3980473ad054ab05b0f2ced4de7
-
SHA1
a694b444dc8dd30e07f69671c3905ffb6fe13532
-
SHA256
3d25b09ab5a16a6b49a7394175b3bce37ba2ae9ce8771408b05280b1bd14b036
-
SHA512
6f67fe1aca76aa0ff33ebf7f1edc4bae6b25c34c543ffa8f59220e520dea91fe92bd50681a5d3086353ef245bd28887bca93efa276ad2544dfbdbdd188ba5ee1
-
SSDEEP
24576:H9/ZDtETtFPa65VkOdET4sDgnVI4jGzwMVACzrDc:HqRcRBkwAGM
-
Detect Xworm Payload
-
Modifies firewall policy service
-
Modifies security service
-
Quasar payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
3Impair Defenses
1Disable or Modify System Firewall
1