Analysis
-
max time kernel
57s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2023 11:22
Behavioral task
behavioral1
Sample
Acordx.exe
Resource
win10v2004-20230220-en
General
-
Target
Acordx.exe
-
Size
39KB
-
MD5
d8eea36339d0a086726466a84da3f0af
-
SHA1
9142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
-
SHA256
66fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
-
SHA512
124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
SSDEEP
768:o1leL7KF2loeyNLRLGlw1FP19EnOphTu+vLe:6eKhegElWFt9EnOpNy
Malware Config
Extracted
xworm
soon-lp.at.ply.gg:17209
G7BSoodIKNHsk7C8
-
install_file
USB.exe
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Acordx.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation Acordx.exe -
Drops startup file 2 IoCs
Processes:
Acordx.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acordx.lnk Acordx.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acordx.lnk Acordx.exe -
Executes dropped EXE 1 IoCs
Processes:
Acordx.exepid process 404 Acordx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Acordx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acordx = "C:\\Users\\Admin\\AppData\\Roaming\\Acordx.exe" Acordx.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Acordx.exeAcordx.exedescription pid process Token: SeDebugPrivilege 4432 Acordx.exe Token: SeDebugPrivilege 4432 Acordx.exe Token: SeDebugPrivilege 404 Acordx.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Acordx.exedescription pid process target process PID 4432 wrote to memory of 1348 4432 Acordx.exe schtasks.exe PID 4432 wrote to memory of 1348 4432 Acordx.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Acordx.exe"C:\Users\Admin\AppData\Local\Temp\Acordx.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Acordx" /tr "C:\Users\Admin\AppData\Roaming\Acordx.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Acordx.exeC:\Users\Admin\AppData\Roaming\Acordx.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Acordx.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
C:\Users\Admin\AppData\Roaming\Acordx.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
C:\Users\Admin\AppData\Roaming\Acordx.exeFilesize
39KB
MD5d8eea36339d0a086726466a84da3f0af
SHA19142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
SHA25666fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
SHA512124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
memory/4432-133-0x00000000003A0000-0x00000000003B0000-memory.dmpFilesize
64KB
-
memory/4432-134-0x000000001BAC0000-0x000000001BAD0000-memory.dmpFilesize
64KB
-
memory/4432-143-0x000000001C880000-0x000000001C982000-memory.dmpFilesize
1.0MB
-
memory/4432-144-0x000000001BAC0000-0x000000001BAD0000-memory.dmpFilesize
64KB