General
-
Target
https://cdn.discordapp.com/attachments/1231133151074582538/1257199666492084317/Tracker.bat?ex=668389ee&is=6682386e&hm=c32b5ee4929b0537660ff6c1d6a2c9c794349cef60344d72ba0ad64a98d7bb9b&
-
Sample
240701-f5fnfaxdnf
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1231133151074582538/1257199666492084317/Tracker.bat?ex=668389ee&is=6682386e&hm=c32b5ee4929b0537660ff6c1d6a2c9c794349cef60344d72ba0ad64a98d7bb9b&
Resource
win10-20240404-en
Malware Config
Extracted
xworm
friday-ebook.gl.at.ply.gg:13014
-
Install_directory
%ProgramData%
-
install_file
powershell.exe
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1231133151074582538/1257199666492084317/Tracker.bat?ex=668389ee&is=6682386e&hm=c32b5ee4929b0537660ff6c1d6a2c9c794349cef60344d72ba0ad64a98d7bb9b&
Score10/10-
Detect Xworm Payload
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1