General
-
Target
Silence.exe
-
Size
28.0MB
-
Sample
240701-mhrwhswdph
-
MD5
831c276bc5317698e3b81b4d7d06c61a
-
SHA1
2872c2fdd594a9578926daaff27640f4f042b17c
-
SHA256
12434745d5d33a4f44eef61c75681776af4719fc1f965e0a136f7e8f56d847d9
-
SHA512
c3292991b61775584bbefdfdb120086eb303486c45fc53d2fcd80a64cbc6ecaccb8a2b8fe2c1178f7dacdc3cf72290512a6037b2e47887967c1f129a6db5fbf7
-
SSDEEP
786432:sKNT2Hyh7hC/4Ubv8bNraTdqn1yU0tLdbJ9bCkv:yHyhUQJmqn1y7xbT
Behavioral task
behavioral1
Sample
Silence.exe
Resource
win7-20240508-en
Malware Config
Extracted
xworm
https://pastebin.com/raw/Xnd0E962:9090
-
Install_directory
%Userprofile%
-
install_file
SVCService.exe
-
pastebin_url
https://pastebin.com/raw/Xnd0E962
Targets
-
-
Target
Silence.exe
-
Size
28.0MB
-
MD5
831c276bc5317698e3b81b4d7d06c61a
-
SHA1
2872c2fdd594a9578926daaff27640f4f042b17c
-
SHA256
12434745d5d33a4f44eef61c75681776af4719fc1f965e0a136f7e8f56d847d9
-
SHA512
c3292991b61775584bbefdfdb120086eb303486c45fc53d2fcd80a64cbc6ecaccb8a2b8fe2c1178f7dacdc3cf72290512a6037b2e47887967c1f129a6db5fbf7
-
SSDEEP
786432:sKNT2Hyh7hC/4Ubv8bNraTdqn1yU0tLdbJ9bCkv:yHyhUQJmqn1y7xbT
-
Detect Xworm Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1