Analysis
-
max time kernel
30s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
Loader1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Loader1.exe
Resource
win10v2004-20231215-en
General
-
Target
Loader1.exe
-
Size
119KB
-
MD5
991c63fffe62b6b237cad9203c5ef6eb
-
SHA1
36aa371799529fc70bbcc9a645eb15929fa06de2
-
SHA256
250eda084776cd02c04ab1dfcffde5555218310351b9c88258f7236df10aeda0
-
SHA512
b6b76ee6c21c35a4c1f10d33094e7340aef38646baaafcc86eb29385b29e89ebabf2626af3cd53ab115c4ce564c74052d4aa65d270e4a6e54e5e724646d8e432
-
SSDEEP
3072:VHlQLfyczsS2sJYnZwGrVYTGX8YhmMa0RYRitL:VHlcfTzD1OnOXGMJgRWi
Malware Config
Extracted
xworm
expected-identifies.gl.at.ply.gg:28789
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe family_xworm behavioral1/memory/3012-14-0x0000000000850000-0x0000000000868000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
RunBeforeXLoader.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk RunBeforeXLoader.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk RunBeforeXLoader.exe -
Executes dropped EXE 2 IoCs
Processes:
Loader.exeRunBeforeXLoader.exepid process 2380 Loader.exe 3012 RunBeforeXLoader.exe -
Loads dropped DLL 1 IoCs
Processes:
Loader1.exepid process 2880 Loader1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RunBeforeXLoader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" RunBeforeXLoader.exe -
Drops file in Windows directory 1 IoCs
Processes:
Loader1.exedescription ioc process File created C:\Windows\Loader.exe Loader1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2408 2380 WerFault.exe Loader.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1668 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RunBeforeXLoader.exepid process 3012 RunBeforeXLoader.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RunBeforeXLoader.exedescription pid process Token: SeDebugPrivilege 3012 RunBeforeXLoader.exe Token: SeDebugPrivilege 3012 RunBeforeXLoader.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RunBeforeXLoader.exepid process 3012 RunBeforeXLoader.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Loader1.exeLoader.exeRunBeforeXLoader.execmd.exedescription pid process target process PID 2880 wrote to memory of 2380 2880 Loader1.exe Loader.exe PID 2880 wrote to memory of 2380 2880 Loader1.exe Loader.exe PID 2880 wrote to memory of 2380 2880 Loader1.exe Loader.exe PID 2880 wrote to memory of 2380 2880 Loader1.exe Loader.exe PID 2880 wrote to memory of 3012 2880 Loader1.exe RunBeforeXLoader.exe PID 2880 wrote to memory of 3012 2880 Loader1.exe RunBeforeXLoader.exe PID 2880 wrote to memory of 3012 2880 Loader1.exe RunBeforeXLoader.exe PID 2880 wrote to memory of 3012 2880 Loader1.exe RunBeforeXLoader.exe PID 2380 wrote to memory of 2408 2380 Loader.exe WerFault.exe PID 2380 wrote to memory of 2408 2380 Loader.exe WerFault.exe PID 2380 wrote to memory of 2408 2380 Loader.exe WerFault.exe PID 2380 wrote to memory of 2408 2380 Loader.exe WerFault.exe PID 3012 wrote to memory of 2696 3012 RunBeforeXLoader.exe schtasks.exe PID 3012 wrote to memory of 2696 3012 RunBeforeXLoader.exe schtasks.exe PID 3012 wrote to memory of 2696 3012 RunBeforeXLoader.exe schtasks.exe PID 3012 wrote to memory of 1188 3012 RunBeforeXLoader.exe schtasks.exe PID 3012 wrote to memory of 1188 3012 RunBeforeXLoader.exe schtasks.exe PID 3012 wrote to memory of 1188 3012 RunBeforeXLoader.exe schtasks.exe PID 3012 wrote to memory of 1844 3012 RunBeforeXLoader.exe cmd.exe PID 3012 wrote to memory of 1844 3012 RunBeforeXLoader.exe cmd.exe PID 3012 wrote to memory of 1844 3012 RunBeforeXLoader.exe cmd.exe PID 1844 wrote to memory of 1668 1844 cmd.exe timeout.exe PID 1844 wrote to memory of 1668 1844 cmd.exe timeout.exe PID 1844 wrote to memory of 1668 1844 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader1.exe"C:\Users\Admin\AppData\Local\Temp\Loader1.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\Loader.exe"C:\Windows\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 6243⤵
- Program crash
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe"C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"3⤵
- Creates scheduled task(s)
PID:2696 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"3⤵PID:1188
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp732D.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD54d0fcd05edbbba8dafe8fde8e69526c4
SHA1af20baab9909fe36ce3a3ba9dd047f04c690e7ff
SHA2565ee666188cd27732c10084e2a032a0a3c3f550276ea5dbfbe3dfc3f19346a4ab
SHA512955f618f9670186a22feafa0288e05377ba893ca8587cad93de21b622040a7937cebba6475cfdcf92cd39e03e0bbf4d9f4f7520bbffda4d7e3bc324977b27d12
-
Filesize
40KB
MD5625a931cad6e8da72f1bbf3c37d65aa0
SHA12d54ebbe1691eeb0b097d0d0b0c5b071e30158c9
SHA256c3cca8cdf2c5039022983f9f578f5474766c682caa3ecc3bb853269136e7e41d
SHA512a961cb80b72908f7dd7e5897102bae75e2326b39b2eef68f1c3c8dcfea16ff666acd082a5e7114909da87b5f45369c920eaf0e47b1a3259b38aa303ab41d340b
-
Filesize
73KB
MD5312382a33d486601306789a01d0003d4
SHA1feaafd132fbc62a481c20c29831f5184821cf23d
SHA256c62a66fef3933991b01074a3ce881ff87ac605eed8d4b34fa0c98ac5f987d136
SHA51258092c4affe2ebb0e47c5fe0a51fc41cf2652b7f29fa1fe5c9cbbe19b427dda85e6b8d4ddec69f543e0a3cfb3cae19820a04d9c789ef56c9e9253bd3584db59c