Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240226-en
9 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
14KB
-
MD5
e34f469b24a30e7a056e47f90b1d722d
-
SHA1
5f7d963e8b7d2fcd75a4374f2da02672754f57b8
-
SHA256
ab1c952a12e853bd77e417cd98b3cc4a1310a0f61c93f37f657a4724545a06f2
-
SHA512
f37f02a19dea8d1a818df6534f953d8d1a470151c6a57da4d3d10b3e03fdf8abeeaa17e10ffa4c80c5f618749230e56b795855b638d218b02fda9adc29289df5
-
SSDEEP
384:3R0wqwlbU/TN2qKGq7O/aC+s39wPS6Vz/:3RxuTB/H9wPS6B
Score
10/10
Malware Config
Extracted
Family
xworm
C2
new-coder.cc:7536
Attributes
-
Install_directory
%ProgramData%
-
install_file
SecurityHealthSystray.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/3388-6-0x00000000033E0000-0x00000000033FC000-memory.dmp family_xworm behavioral2/memory/3388-8-0x00000000094C0000-0x00000000094D0000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk Explorer.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk Explorer.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe" Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3388 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4184 tmp.exe 3388 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4184 tmp.exe Token: SeShutdownPrivilege 3388 Explorer.EXE Token: SeCreatePagefilePrivilege 3388 Explorer.EXE Token: SeShutdownPrivilege 3388 Explorer.EXE Token: SeCreatePagefilePrivilege 3388 Explorer.EXE Token: SeDebugPrivilege 3388 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3388 Explorer.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 4184 wrote to memory of 3388 4184 tmp.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184
-