#xworm_160824

1. #IOC #OptiData #VR #xworm #RAT #powershell #RegSvcs
2.  
3. https://pastebin.com/CRjUiGHd
4.  
5. previous_contact:
6. n/a
7.  
8. FAQ:
9. https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm
10.  
11. attack_vector
12. --------------
13. email attach .zip > .pdf.lnk > powershell get .pdf & .dll > rundll32 > inject RegSvcs.exe > C2
14.  
15. # # # # # # # #
16. email_headers
17. # # # # # # # #
18. Date: 15 Aug 2024 17:36:08 -0700
19. From: Elena Cristea <purchase _ozraltd @outlook _com>
20. Subject: PO from Start Group S.R.L
21. Received: from siemenx _com ([142 _171 _186 _184])
22. Received: from ip139 _ip -51 -255 -152 _eu ([51 _255 _152 _139])
23. Message-ID: <20240815173608 _D87B0CB345B7901F @outlook _com>
24.  
25. # # # # # # # #
26. files
27. # # # # # # # #
28. SHA-256 cd76f454f2ddac4e0abdfb85d3d8c287e5784c147db255c84fc0f5a41c83250d
29. File name PO20240815.zip
30. File size 1.00 KB (1028 bytes)
31.  
32. SHA-256 c1ac6640bb74438f7a6c430ab4c701f7daf2117b87522f9bb4b8da6fdca1b375
33. File name PO20240815.pdf.lnk
34. File size 3.48 KB (3568 bytes)
35.  
36. SHA-256 1cc81f71eae826c2876bf8a08c2ef9ca5fe8f10ce9d4790a22fa61570e08286c
37. File name 172373910590741.png [Statement_of_Account.pdf] > decoy
38. File size 20.39 KB (20881 bytes)
39.  
40. SHA-256 cf0cdb7290a6637aad0141025ea90332763e69bcada23eec84cf8e81faf53087
41. File name 172373704210952.png [license.txt] > DLL
42. File size 399.89 KB (409488 bytes)
43.  
44.  
45. # # # # # # # #
46. activity
47. # # # # # # # #
48.  
49. PL_SCR cutt _ly /kevGcUyk >> ima _dzgsm _com /uploads /172373704210952.png > DLL
50.  
51. C2 C2 xwram1 _duckdns _org :58345
52.  
53.  
54. netwrk
55. --------------
56. 104 _22 _0 _232 cutt _ly 443 TLSv1.3 Client Hello (SNI=cutt _ly)
57. 54 _36 _173 _156 ima _dzgsm _com 443 TLSv1.3 Client Hello (SNI=ima _dzgsm _com)
58.  
59. comp
60. --------------
61. powershell.exe 104 _22 _0 _232
62. powershell.exe 54 _36 _173 _156
63. rundll32.exe 54 _36 _173 _156
64. RegSvcs.exe 193 _187 _91 _208
65.  
66. proc
67. --------------
68. UNC\localhost\C$\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
69. "C:\Program Files\SumatraPDF\SumatraPDF.exe" "C:\Users\Public\Documents\Statement_of_Account.pdf"
70. "C:\Windows\System32\rundll32.exe" C:\Users\Public\Downloads\license.txt,IEX
71. C:\Windows\System32\cmd.exe /c copy C:\Users\Public\Downloads\license.txt C:\Users\%username%\AppData\Roaming\Templates
72. C:\Windows\System32\cmd.exe /c copy C:\Users\Public\Downloads\cryptbase.dll C:\Users\%username%\AppData\Roaming\Templates
73. C:\Windows\System32\cmd.exe /c copy C:\Users\Public\Downloads\RemoteAppLogonApplication.exe C:\Users\%username%\AppData\Roaming\Templates
74. C:\Windows\System32\cmd.exe /c copy C:\Users\%username%\AppData\Local\Temp\license.txt C:\Users\%username%\AppData\Roaming\Templates
75. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
76.  
77. persist
78. --------------
79. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
80. RtkAudUService C:\Users\User01\AppData\Roaming\Templates\license.txt Sat Aug 17 14:58:16 2024
81.  
82. drop
83. --------------
84. C:\Users\Public\Documents\Statement_of_Account.pdf
85. C:\Users\Public\Downloads\license.txt
86.  
87. # # # # # # # #
88. additional info
89. # # # # # # # #
90. n/a
91.  
92. # # # # # # # #
93. VT & Intezer
94. # # # # # # # #
95. https://www.virustotal.com/gui/file/cd76f454f2ddac4e0abdfb85d3d8c287e5784c147db255c84fc0f5a41c83250d/details
96. https://www.virustotal.com/gui/file/c1ac6640bb74438f7a6c430ab4c701f7daf2117b87522f9bb4b8da6fdca1b375/details
97. https://www.virustotal.com/gui/file/1cc81f71eae826c2876bf8a08c2ef9ca5fe8f10ce9d4790a22fa61570e08286c/details
98. https://www.virustotal.com/gui/file/cf0cdb7290a6637aad0141025ea90332763e69bcada23eec84cf8e81faf53087/details
99.  
100. VR