Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-02-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
Loader1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Loader1.exe
Resource
win10v2004-20231215-en
General
-
Target
Loader1.exe
-
Size
119KB
-
MD5
991c63fffe62b6b237cad9203c5ef6eb
-
SHA1
36aa371799529fc70bbcc9a645eb15929fa06de2
-
SHA256
250eda084776cd02c04ab1dfcffde5555218310351b9c88258f7236df10aeda0
-
SHA512
b6b76ee6c21c35a4c1f10d33094e7340aef38646baaafcc86eb29385b29e89ebabf2626af3cd53ab115c4ce564c74052d4aa65d270e4a6e54e5e724646d8e432
-
SSDEEP
3072:VHlQLfyczsS2sJYnZwGrVYTGX8YhmMa0RYRitL:VHlcfTzD1OnOXGMJgRWi
Malware Config
Extracted
xworm
expected-identifies.gl.at.ply.gg:28789
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe family_xworm behavioral2/memory/232-22-0x0000000000AE0000-0x0000000000AF8000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader1.exeRunBeforeXLoader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation Loader1.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation RunBeforeXLoader.exe -
Drops startup file 2 IoCs
Processes:
RunBeforeXLoader.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk RunBeforeXLoader.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk RunBeforeXLoader.exe -
Executes dropped EXE 3 IoCs
Processes:
Loader.exeRunBeforeXLoader.exesvchost.exepid process 5048 Loader.exe 232 RunBeforeXLoader.exe 4728 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RunBeforeXLoader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" RunBeforeXLoader.exe -
Drops file in Windows directory 1 IoCs
Processes:
Loader1.exedescription ioc process File created C:\Windows\Loader.exe Loader1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2460 5048 WerFault.exe Loader.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RunBeforeXLoader.exepid process 232 RunBeforeXLoader.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RunBeforeXLoader.exesvchost.exedescription pid process Token: SeDebugPrivilege 232 RunBeforeXLoader.exe Token: SeDebugPrivilege 232 RunBeforeXLoader.exe Token: SeDebugPrivilege 4728 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RunBeforeXLoader.exepid process 232 RunBeforeXLoader.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Loader1.exeRunBeforeXLoader.exedescription pid process target process PID 5004 wrote to memory of 5048 5004 Loader1.exe Loader.exe PID 5004 wrote to memory of 5048 5004 Loader1.exe Loader.exe PID 5004 wrote to memory of 5048 5004 Loader1.exe Loader.exe PID 5004 wrote to memory of 232 5004 Loader1.exe RunBeforeXLoader.exe PID 5004 wrote to memory of 232 5004 Loader1.exe RunBeforeXLoader.exe PID 232 wrote to memory of 4484 232 RunBeforeXLoader.exe schtasks.exe PID 232 wrote to memory of 4484 232 RunBeforeXLoader.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader1.exe"C:\Users\Admin\AppData\Local\Temp\Loader1.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\Loader.exe"C:\Windows\Loader.exe"2⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 10643⤵
- Program crash
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe"C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"3⤵
- Creates scheduled task(s)
PID:4484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 50481⤵PID:1292
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5312382a33d486601306789a01d0003d4
SHA1feaafd132fbc62a481c20c29831f5184821cf23d
SHA256c62a66fef3933991b01074a3ce881ff87ac605eed8d4b34fa0c98ac5f987d136
SHA51258092c4affe2ebb0e47c5fe0a51fc41cf2652b7f29fa1fe5c9cbbe19b427dda85e6b8d4ddec69f543e0a3cfb3cae19820a04d9c789ef56c9e9253bd3584db59c
-
Filesize
40KB
MD5625a931cad6e8da72f1bbf3c37d65aa0
SHA12d54ebbe1691eeb0b097d0d0b0c5b071e30158c9
SHA256c3cca8cdf2c5039022983f9f578f5474766c682caa3ecc3bb853269136e7e41d
SHA512a961cb80b72908f7dd7e5897102bae75e2326b39b2eef68f1c3c8dcfea16ff666acd082a5e7114909da87b5f45369c920eaf0e47b1a3259b38aa303ab41d340b