Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
05-11-2023 15:00
General
-
Target
danger.exe
-
Size
17.3MB
-
MD5
7aff5c8e1a98cda8d462565511a5bc2d
-
SHA1
4703377360e523fae14e0c09aa1a05af040ccc91
-
SHA256
a90ca15d3c601ae18f82601cfa311ff92405877087ff5566b365799ba05466eb
-
SHA512
bbbc8ccbc6a2fcea0949c4a27ac935310c4b6c8175521c4db0753c0e440c8d9eb58c99996f0bb5d42e02bbd4c6b4f21530abe43add04d58e89f35471f1db909f
-
SSDEEP
393216:7eYCTfyWo1HwlNwakK/Aze071Sxs9PHPN4s+Fhh1:bCDyWEHs3kv7Iy9Pe/
Malware Config
Extracted
xworm
3.1
216.230.73.215:6789
JhB3xwmTJqR9i5Pu
-
Install_directory
%ProgramData%
-
install_file
SyncHost.exe
-
telegram
https://api.telegram.org/bot6051093382:AAFB_OlEEXCr5NVu4fhuf3m_RPUHXO-LxuA/sendMessage?chat_id=1876538826
Signatures
-
Detect Xworm Payload 2 IoCs
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Luca Stealer payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\danger.exe"C:\Users\Admin\AppData\Local\Temp\danger.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Packet_Installer.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Packet_Installer" /SC ONLOGON /TR "C:\Windows\Packet_Installer.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Packet_Installer.exe"C:\Windows\Packet_Installer.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Packet_Installer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Packet_Installer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Packet_Installer.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Packet_Installer" /tr "C:\ProgramData\Packet_Installer.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\ProximityUxHost.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "ProximityUxHost" /SC ONLOGON /TR "C:\Windows\ProximityUxHost.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
-
-
C:\Windows\ProximityUxHost.exe"C:\Windows\ProximityUxHost.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
944B
MD5749863cdcdce8f9f10b207cb7c005e45
SHA12a789cf29342eeed730db59fb154fccb57e4efad
SHA256af4561c858888a7cc8fc621f43703df490e40b9a19805bdcbaba64a56bf37157
SHA512c83673e95ea9239fbe18b81cf81a2d72923635fe3a29faf58fabf774d3aeaea9e6e505283daf04d4b2380a5193266f003e03c1cd45673a23c9e6f22eafdd61ab
-
Filesize
18KB
MD563df8f04a5570c4929ece47ae005f31f
SHA1a44ea093dca12f973261c311b218733357160fd2
SHA2563e68b5acbe86be48e7413c9c43ee71cd28fb5b06db018f82362ee510d3b6d15a
SHA5127228fd0b0d0cfdfe4ca2e66a92f75f4967fb233320648058b21458a729659730cd70288707421b54e6713bd06bdc79181b2b90aff0b5b5d1c4b5320b4bbdc9af
-
Filesize
18KB
MD526998b3b46dab65282fc31023facdfc2
SHA1c9899655352c146be3c9fa5b33b4506516f75b43
SHA2565c028afa0614110623e62449a844bf77e0284a056829d163fbbb27f9e2fceac4
SHA512e1eae987dcf4cf2f6f178b114df100908b48bcc5bcfcd16768baa32360b929a753eefa152806c3d31c36890e1ac15c5f9e29b23dfa9a543cfbcbd131d74653c7
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6.5MB
MD528343e97083994d7ea4e2b07511c1736
SHA1828b94c4cda0ddbe6bb2c9bf0a437106026c10e3
SHA25612f848fba69687ab2258feb0ff3f837267493e31d42319e88e18eb3f687aca4f
SHA5122fedad9f3a54dd8735287a62db43c2da3076ec22b94b7a4f1a6610ce0ba64b880430948a79d5c46d75088274875a3677f204b7984d75d936b8c891a0b158269c
-
Filesize
6.5MB
MD528343e97083994d7ea4e2b07511c1736
SHA1828b94c4cda0ddbe6bb2c9bf0a437106026c10e3
SHA25612f848fba69687ab2258feb0ff3f837267493e31d42319e88e18eb3f687aca4f
SHA5122fedad9f3a54dd8735287a62db43c2da3076ec22b94b7a4f1a6610ce0ba64b880430948a79d5c46d75088274875a3677f204b7984d75d936b8c891a0b158269c
-
Filesize
6.5MB
MD528343e97083994d7ea4e2b07511c1736
SHA1828b94c4cda0ddbe6bb2c9bf0a437106026c10e3
SHA25612f848fba69687ab2258feb0ff3f837267493e31d42319e88e18eb3f687aca4f
SHA5122fedad9f3a54dd8735287a62db43c2da3076ec22b94b7a4f1a6610ce0ba64b880430948a79d5c46d75088274875a3677f204b7984d75d936b8c891a0b158269c
-
Filesize
3.9MB
MD54b947e3d4a5da18764a788c51c2e401f
SHA1d54952e3f8c2de20726225d14b701ff7476c834f
SHA25673f20b8daa0ce8013f10ec9cbd9bc04e66fe2f85c1f3c9558525fd629f9f7c3a
SHA512faa2193560cc3515fb52c6c01419c2d933fbacc7c999f8d606d2056e96b09bb7b2024881393c856a48c3d1e1d1106d1fb965a0d3ec3bb6133a6caf61ff5e258e
-
Filesize
3.9MB
MD54b947e3d4a5da18764a788c51c2e401f
SHA1d54952e3f8c2de20726225d14b701ff7476c834f
SHA25673f20b8daa0ce8013f10ec9cbd9bc04e66fe2f85c1f3c9558525fd629f9f7c3a
SHA512faa2193560cc3515fb52c6c01419c2d933fbacc7c999f8d606d2056e96b09bb7b2024881393c856a48c3d1e1d1106d1fb965a0d3ec3bb6133a6caf61ff5e258e
-
Filesize
3.9MB
MD54b947e3d4a5da18764a788c51c2e401f
SHA1d54952e3f8c2de20726225d14b701ff7476c834f
SHA25673f20b8daa0ce8013f10ec9cbd9bc04e66fe2f85c1f3c9558525fd629f9f7c3a
SHA512faa2193560cc3515fb52c6c01419c2d933fbacc7c999f8d606d2056e96b09bb7b2024881393c856a48c3d1e1d1106d1fb965a0d3ec3bb6133a6caf61ff5e258e
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
15.5MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
15.5MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
624KB
-
Filesize
15.5MB
-
Filesize
408KB
-
Filesize
960KB
-
Filesize
15.5MB
-
Filesize
8KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8.4MB
-
Filesize
64KB
-
Filesize
34.3MB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB