Analysis
-
max time kernel
6s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 03:18
Static task
static1
Behavioral task
behavioral1
Sample
a231145abbb216fb9ad0bb81c51832f5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a231145abbb216fb9ad0bb81c51832f5.exe
Resource
win10v2004-20231222-en
General
-
Target
a231145abbb216fb9ad0bb81c51832f5.exe
-
Size
92KB
-
MD5
a231145abbb216fb9ad0bb81c51832f5
-
SHA1
c93e051e8c374bbcb153b1862e6e101abb73775c
-
SHA256
305817d3405f3f1d344836b74d5e04af40da8e11d5334c6401c94a3baceb34ea
-
SHA512
3c67f60a04495fc14b3bdacf6d19a509c13dddcf29227696d69336878f3059bc33eb6a2183d12fd6a88c8fe0533c0787eb9599686564c061e3d500b1d34c3fcd
-
SSDEEP
1536:jynazMODiSbl57b/4tXzQP8AltrOSWht1s5qXxx3M9H+NjExnCMT3JuT+d/1SWPO:jOa9Dnv7ba85OTt25x+Z6Lh1ZP/Bjvfs
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/TgduC2Px
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2676-25-0x00000000001C0000-0x00000000001DA000-memory.dmp family_xworm behavioral1/memory/2240-124-0x0000000000EE0000-0x0000000000EFA000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Templates\\xxnnzdq3.qbb.exe" a231145abbb216fb9ad0bb81c51832f5.exe -
Executes dropped EXE 1 IoCs
pid Process 2676 xxnnzdq3.qbb.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2680 schtasks.exe 2336 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2676 xxnnzdq3.qbb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 780 wrote to memory of 1856 780 a231145abbb216fb9ad0bb81c51832f5.exe 28 PID 780 wrote to memory of 1856 780 a231145abbb216fb9ad0bb81c51832f5.exe 28 PID 780 wrote to memory of 1856 780 a231145abbb216fb9ad0bb81c51832f5.exe 28 PID 1856 wrote to memory of 2680 1856 CMD.exe 29 PID 1856 wrote to memory of 2680 1856 CMD.exe 29 PID 1856 wrote to memory of 2680 1856 CMD.exe 29 PID 780 wrote to memory of 2676 780 a231145abbb216fb9ad0bb81c51832f5.exe 31 PID 780 wrote to memory of 2676 780 a231145abbb216fb9ad0bb81c51832f5.exe 31 PID 780 wrote to memory of 2676 780 a231145abbb216fb9ad0bb81c51832f5.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a231145abbb216fb9ad0bb81c51832f5.exe"C:\Users\Admin\AppData\Local\Temp\a231145abbb216fb9ad0bb81c51832f5.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System Update" /tr "C:\ProgramData\Microsoft\Windows\Templates\xxnnzdq3.qbb.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System Update" /tr "C:\ProgramData\Microsoft\Windows\Templates\xxnnzdq3.qbb.exe"3⤵
- Creates scheduled task(s)
PID:2680
-
-
-
C:\ProgramData\Microsoft\Windows\Templates\xxnnzdq3.qbb.exe"C:\ProgramData\Microsoft\Windows\Templates\xxnnzdq3.qbb.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Templates\xxnnzdq3.qbb.exe'3⤵PID:2488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'xxnnzdq3.qbb.exe'3⤵PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵PID:1188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵PID:2704
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Creates scheduled task(s)
PID:2336
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C0E66CED-1C89-4CC8-A08C-1E91B61F8665} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵PID:1376
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵PID:2240
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
541KB
MD5d31db17a6fd4962a7bf7253eaa6e416f
SHA1930c6fe6d67104491be90d84eaa78344f6e78b90
SHA25634c404c847bbeb85192d3b7e9fd556cedc06ea5b42a4d6fcc4c846e6f623265c
SHA51242b23a54c1cfacf6be5f73fd5f46da7ccfff15a0c11322758595385aae773e8a0b1e58ab73f9e325d1f5b70f6bd89237894ae7b238e1bde16ef24305085a1262
-
Filesize
279KB
MD5a7e25e7c6f1f7b46aabbf29691db97c4
SHA173f7c81e71e88b64c7f5e13b6ce714ef4f0677b6
SHA256fb0aacdda8c2cf495c138919c558c3e5606685fd09ea1e780a1007da8caf57b3
SHA51273bdcca80656ea2dcfad5df6db3309713cb2f181b0ab8ba9786cf22aca3d96ec8dffc1d39edbebd73ae55ba3b01c7866316f3d7d6f4ecb1d16f659c3fe3b5e7e
-
Filesize
407KB
MD59eebc73cf24aad165b5d5c7e08e8eb19
SHA1e1936d1a8e9c2825b8c59cd459baabe2d8fe69d8
SHA2561ac931778ab5027e60e207f29852378498b7af6387d368999e88d746e7a33382
SHA512fa4e52be7890a373ef9f4f308cfa110f33878a95a0a6913f01fee1210969722e07fead733c60f3baa2df3b92704cf15fc59889854b9ef53cbc4cf3a77e4450cd
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
137KB
MD536faa4bc54a632caa1f257a70dd49630
SHA1d2f206b11d348265e86981f0afd810b859935a6f
SHA256c11042e1beb524107d62c922558c015394765d87e8492e129ffc5277a1d03b7e
SHA5128a94921cabd0da11da779cf178ad8a2dd5e6e562057a920daad305a6ff7223ef56fbe8cd71f009b9f4f8266739ad06950c289f2f924d59cc78ff5a809d5a3f62
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3039UPTQJ4G6NE6WNJWE.temp
Filesize1KB
MD5e5d1b6b6872fa3b087179e93c05d98b9
SHA193f59f7f86582016ec0114769b01ece5dc2b0e16
SHA256f2b64ce58a9dd6d624463e0c7545feb3facdbce217eaf38f92ed5c5a5db6e511
SHA5128ca393c05dd956aef02c276c95fe6bf93add2001cc13ab78d1583e79946c3d76cfe8c95ac08558f18bc6122a94f7c513eedd440bafb3afeed3611d9039d2c218
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c6c5b8649bd6cd640318c567b70b2045
SHA126544bb3eafd426100a5233f7d5520fea32b43e5
SHA2562045da77ff4e8f9d7c8d3c50f80afb72353bef36b26c12b9bbe0a823d2f90978
SHA5128a768ad5e0b7c4c56b07adde99f49bf552fefea621292841dd4c66b41b060275b04c7fa7b1c77fbed195b32831924decc41b93c02ff01f3754c84adbaa4c7aed
-
Filesize
763KB
MD5cbf6d46f2ed7c01204266172b022fd97
SHA1d8195435ab66bb64ee4ccbf68403ae09b4bb3314
SHA256fd00538f78e72004a59bca40fd5fb1e4e4c370de1a85c2fed394af14d6f16720
SHA5127981482b232814f65dc57d75acbe74399bd64c9942fb98853c8e8bb11b8f5ea3da65e6b2250e16381b07e835254eb3ec4322e7438640572a7319575fc5da3d5c
-
Filesize
535KB
MD52e6fb5bf500e4049dc0ac9f8d7377582
SHA1b91a98c85d4b0cb8fbd35f26d9f0a033bc64ddfc
SHA256aa78e1200ec37b189c7cb211caa82fb535dc974f33637699136321be1ef39e86
SHA512f90d7084473102a85624c520532dea40282cb3b908b855b516349e737c5ffd1b752436aa5e0f64b01661804319e5ab95a1a245e138d415f66537a39e7f256033
-
Filesize
104KB
MD58a959e5cf948ab7fdf5e4ff5895eb2c4
SHA1c79dacda4b0adfc6eeab39e857bdfa73c21da11d
SHA2568b1cd14028042b36993f97fb23e4e15738360c8133b0ab19fd0c85362c73fd55
SHA512a8844f2fa8c132c4f1ee7d9f6cb59e3626e87d95eced3299a0f53715633c8c599ae74d748761d2f9dd97e9efd2895069eb5b769f56fc2bc6c8b0085c4ab785ce