General
-
Target
Roblox theme.exe
-
Size
1013KB
-
Sample
240701-jcmg3asern
-
MD5
f9692e37bd7d64a1d5458f39d5730308
-
SHA1
4984464e640fe749391e4819300b615eb4c85c6a
-
SHA256
49c4484aee2c2d16b940cb5e47e908cc894ececf443569f0f127e0c8df2ab832
-
SHA512
4fb5d6dff3d3da8013f8e618a5f65d70156229ee47d214541b04a56fe29d6e7d026aa4eb6870ea19a57ec2cf20042af91c8f62d30a7158bb8a6f77d9be5044d6
-
SSDEEP
24576:lOtT5xDVDvwVqYdVpqVfuMSOYw3Y+JBbUX/S/6Hv9rO5gUa:lOtT57MdhHMxvY+fUPSCH69a
Static task
static1
Behavioral task
behavioral1
Sample
Roblox theme.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Roblox theme.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
java-mas.gl.at.ply.gg:23199
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
Targets
-
-
Target
Roblox theme.exe
-
Size
1013KB
-
MD5
f9692e37bd7d64a1d5458f39d5730308
-
SHA1
4984464e640fe749391e4819300b615eb4c85c6a
-
SHA256
49c4484aee2c2d16b940cb5e47e908cc894ececf443569f0f127e0c8df2ab832
-
SHA512
4fb5d6dff3d3da8013f8e618a5f65d70156229ee47d214541b04a56fe29d6e7d026aa4eb6870ea19a57ec2cf20042af91c8f62d30a7158bb8a6f77d9be5044d6
-
SSDEEP
24576:lOtT5xDVDvwVqYdVpqVfuMSOYw3Y+JBbUX/S/6Hv9rO5gUa:lOtT57MdhHMxvY+fUPSCH69a
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1