Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/12/2023, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
x.exe
Resource
win7-20231215-en
General
-
Target
x.exe
-
Size
320KB
-
MD5
c940e89943c98832a5738d260f16bf94
-
SHA1
b422d97d5d59fe0ac82bcb379e2c1d4a27f77618
-
SHA256
4001c4f249a156e7e9410886ddaf8ca7652689eb914a57d3bb17c1284f79dab1
-
SHA512
44587a723fa9d51d5dfb216181bdab33987aedd32cff30eec72363425b6de228a7bc51b84fc66214f81b4b398edc70723839d8e979f533595b140cb52bc31cbd
-
SSDEEP
6144:7DKW1Lgbdl0TBBvjc/RUizNnjLF00mpPGy5Bmfb1cdmhCq3t:Ph1Lk70Tnvjchnjx004uyefbcU3t
Malware Config
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2512-2-0x0000000004710000-0x0000000004778000-memory.dmp family_xworm behavioral1/memory/2512-5-0x0000000004780000-0x00000000047E8000-memory.dmp family_xworm -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral1/memory/2512-2-0x0000000004710000-0x0000000004778000-memory.dmp family_zgrat_v1 behavioral1/memory/2512-5-0x0000000004780000-0x00000000047E8000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2512-2-0x0000000004710000-0x0000000004778000-memory.dmp net_reactor behavioral1/memory/2512-5-0x0000000004780000-0x00000000047E8000-memory.dmp net_reactor -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskscheder.lnk x.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskscheder.lnk x.exe -
Executes dropped EXE 2 IoCs
pid Process 1352 taskscheder.exe 944 taskscheder.exe -
Loads dropped DLL 1 IoCs
pid Process 2512 x.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskscheder = "C:\\Users\\Admin\\AppData\\Roaming\\taskscheder.exe" x.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 456 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2512 x.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2792 powershell.exe 2580 powershell.exe 1948 powershell.exe 1640 powershell.exe 2512 x.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2512 x.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 2512 x.exe Token: SeDebugPrivilege 1352 taskscheder.exe Token: SeDebugPrivilege 944 taskscheder.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2512 x.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2792 2512 x.exe 29 PID 2512 wrote to memory of 2792 2512 x.exe 29 PID 2512 wrote to memory of 2792 2512 x.exe 29 PID 2512 wrote to memory of 2792 2512 x.exe 29 PID 2512 wrote to memory of 2580 2512 x.exe 32 PID 2512 wrote to memory of 2580 2512 x.exe 32 PID 2512 wrote to memory of 2580 2512 x.exe 32 PID 2512 wrote to memory of 2580 2512 x.exe 32 PID 2512 wrote to memory of 1948 2512 x.exe 34 PID 2512 wrote to memory of 1948 2512 x.exe 34 PID 2512 wrote to memory of 1948 2512 x.exe 34 PID 2512 wrote to memory of 1948 2512 x.exe 34 PID 2512 wrote to memory of 1640 2512 x.exe 36 PID 2512 wrote to memory of 1640 2512 x.exe 36 PID 2512 wrote to memory of 1640 2512 x.exe 36 PID 2512 wrote to memory of 1640 2512 x.exe 36 PID 2512 wrote to memory of 456 2512 x.exe 37 PID 2512 wrote to memory of 456 2512 x.exe 37 PID 2512 wrote to memory of 456 2512 x.exe 37 PID 2512 wrote to memory of 456 2512 x.exe 37 PID 620 wrote to memory of 1352 620 taskeng.exe 40 PID 620 wrote to memory of 1352 620 taskeng.exe 40 PID 620 wrote to memory of 1352 620 taskeng.exe 40 PID 620 wrote to memory of 1352 620 taskeng.exe 40 PID 620 wrote to memory of 944 620 taskeng.exe 43 PID 620 wrote to memory of 944 620 taskeng.exe 43 PID 620 wrote to memory of 944 620 taskeng.exe 43 PID 620 wrote to memory of 944 620 taskeng.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\x.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\taskscheder.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskscheder.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskscheder" /tr "C:\Users\Admin\AppData\Roaming\taskscheder.exe"2⤵
- Creates scheduled task(s)
PID:456
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {769A50A5-E0DA-4146-9722-EC356D3F26CA} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Roaming\taskscheder.exeC:\Users\Admin\AppData\Roaming\taskscheder.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Users\Admin\AppData\Roaming\taskscheder.exeC:\Users\Admin\AppData\Roaming\taskscheder.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5cbb743bd0d28b7aa52f0123d55bffbb3
SHA1588d0cf90529c6dfab43c60d97c211f6a0f5297d
SHA2569298658ac315945d6849279d3041a1240d79676474dbc4853c1fd8cde9c46bc6
SHA512700be899ceea53bdb89dd46eb6f6d07ca14fb944ca33092d0d29abf24a9ce3259fcfca3c05eee7fbcb33caf01bf208dd27d79cc145ffd6d4c09e5510a76c162a
-
Filesize
63KB
MD5e6fd1d3a409b3dd866eb666e079baaa2
SHA117aa7ce8d7e1e111ca84784ce8f6fd92257ff014
SHA2561e1fc41db1b61696c8539b81e29421fe20316c66fdeac9a02dbfc7e84d8adb0a
SHA5122d01c7393ef4d9ddd738d13637b66502ead3d8bd9071a7024c8637903457682eb0056d08d210a716f5d160946fb20a94a616b85db93312db21394ae3e3ee6ff7
-
Filesize
36KB
MD5e4df7d2cb818500929d6948bee762f13
SHA14e721ba5b86b7ebfb1fe99945765ec82d5e4a4c2
SHA256277954df41b8425ea3c7c908fbd4c9478c0bc755480c2f8659a3855fa013feda
SHA512faf0d2b1898976ce8eb5e72730a0dd28d35d915530eec30a90a7a0047c25cf6d6b003140e37954240cf8ca007288487e0d6ff44f548e9f88f49b5e954540a9a3
-
Filesize
320KB
MD5c940e89943c98832a5738d260f16bf94
SHA1b422d97d5d59fe0ac82bcb379e2c1d4a27f77618
SHA2564001c4f249a156e7e9410886ddaf8ca7652689eb914a57d3bb17c1284f79dab1
SHA51244587a723fa9d51d5dfb216181bdab33987aedd32cff30eec72363425b6de228a7bc51b84fc66214f81b4b398edc70723839d8e979f533595b140cb52bc31cbd
-
Filesize
70KB
MD50c7c8a89728cad8874ab638e6964b199
SHA1797a49f4a999db2e7b6c01909fb6bbf7f872a1d4
SHA256657ef00c81c216ead771c28a60d0febf1247f71032de8590b7d11075e4c1d689
SHA5122cc86af7694902ad6f163648e338f6fbf618bc04b866ac5c78167b83e95a42a362c8068e1a7b0c6800b9133d3c045dfaba688e3d5a6f7c2e69b8edc1424db8d7