General
-
Target
MyCode.exe
-
Size
39KB
-
Sample
240706-r5bv2atenc
-
MD5
70289b7819fa6c4843f3dbf868f89f48
-
SHA1
2f7a6cd6e8ad0ca190acaf7ccf613183044a0587
-
SHA256
ebfcca4ca03a8a89a73501632e23383d274a8cea686bed4359153d863652dd2e
-
SHA512
cea9a878a1e109e80d2e2493d5bd2ac062a89987b67305b4dd3dff2b06f57c6b2a4f80d8be965276e85101a1d36df071c5e9add4940e18a2ae3d454b245210e4
-
SSDEEP
768:BPv2tlOzFKuGCuuJ/5c/lpfFWPJ92yF6dOMhHjhC:BGroIrCuuJefFe92W6dOMFA
Behavioral task
behavioral1
Sample
MyCode.exe
Resource
win11-20240704-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:24920
6.tcp.eu.ngrok.io:24920
4.tcp.eu.ngrok.io:24920
5.tcp.eu.ngrok.io:24920
0.tcp.eu.ngrok.io:24920
20.ip.gl.ply.gg:24920
qp0SiG21yxPKVpTy
-
Install_directory
%AppData%
-
install_file
Upgrade.exe
Extracted
C:\Users\Admin\Downloads\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
MyCode.exe
-
Size
39KB
-
MD5
70289b7819fa6c4843f3dbf868f89f48
-
SHA1
2f7a6cd6e8ad0ca190acaf7ccf613183044a0587
-
SHA256
ebfcca4ca03a8a89a73501632e23383d274a8cea686bed4359153d863652dd2e
-
SHA512
cea9a878a1e109e80d2e2493d5bd2ac062a89987b67305b4dd3dff2b06f57c6b2a4f80d8be965276e85101a1d36df071c5e9add4940e18a2ae3d454b245210e4
-
SSDEEP
768:BPv2tlOzFKuGCuuJ/5c/lpfFWPJ92yF6dOMhHjhC:BGroIrCuuJefFe92W6dOMFA
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Windows Management Instrumentation
1Command and Scripting Interpreter
1PowerShell
1Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
6Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Pre-OS Boot
1Bootkit
1Hide Artifacts
1Hidden Files and Directories
1