Analysis
-
max time kernel
1523s -
max time network
1562s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
ttd_scam_tool_api.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ttd_scam_tool_api.exe
Resource
win10v2004-20231215-en
General
-
Target
ttd_scam_tool_api.exe
-
Size
134.0MB
-
MD5
6ae4dad56fcd74438d8af1757d7f33eb
-
SHA1
f7ebe503c1946803f4ab1396e633bfffdce75c39
-
SHA256
7407aaf1912fe74b954790db86481e9f71b69d9ceb5da210366052c64cdf295a
-
SHA512
3a86f8f1b9e8e5629a1f6097b8ca25905676cabd6083116e5c3a545b728e37ffe53f25571c86ca97f9727cebd5bf9a33250027af703728c3b94beb5de7a508dc
-
SSDEEP
1536:nfEMGNYm3LveC4lOJqrkbH4HMAa7n6wBmMOQbY:8zGplOYrkbHj3sMOQk
Malware Config
Extracted
xworm
147.185.221.16:40164
-
install_file
tmp.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1652-35-0x0000000000B40000-0x0000000000B4E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1652-0-0x0000000000F90000-0x0000000000FA4000-memory.dmp family_xworm -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2968 powershell.exe 2604 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ttd_scam_tool_api.exepid process 1652 ttd_scam_tool_api.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ttd_scam_tool_api.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1652 ttd_scam_tool_api.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeShutdownPrivilege 1652 ttd_scam_tool_api.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ttd_scam_tool_api.exedescription pid process target process PID 1652 wrote to memory of 2968 1652 ttd_scam_tool_api.exe powershell.exe PID 1652 wrote to memory of 2968 1652 ttd_scam_tool_api.exe powershell.exe PID 1652 wrote to memory of 2968 1652 ttd_scam_tool_api.exe powershell.exe PID 1652 wrote to memory of 2604 1652 ttd_scam_tool_api.exe powershell.exe PID 1652 wrote to memory of 2604 1652 ttd_scam_tool_api.exe powershell.exe PID 1652 wrote to memory of 2604 1652 ttd_scam_tool_api.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ttd_scam_tool_api.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ttd_scam_tool_api.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3G8JDFMUNIKLXV6Y8EH.temp
Filesize7KB
MD55b1903b19946c3db6820fbf0b43e9a73
SHA141b840d326e26f6ff249967a90fe5808acb62a37
SHA256582b2dbee88f3674c9b547082970ecd881ebeabf88da85f6b55944839fd7d0f3
SHA512e9b142c483109eed32ed168fd82f61addac38d8283c0b7f5849cfaaa52d6577ba32ea8089eb42dbca5b45d6cd6d18c6a60c9677d599bc6e221a403e17f6e5a51