Analysis
-
max time kernel
163s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
Resource
win10v2004-20240226-en
General
-
Target
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe
-
Size
419KB
-
MD5
8a716466aa6f2d425ec09770626e8e54
-
SHA1
62fb757ea5098651331f91c1664db9fe46b21879
-
SHA256
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815
-
SHA512
54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940
-
SSDEEP
6144:QTCsE3O4yuS5O0RBOInaCa6G6ypdf4Bf7e/DnjBeq04fVXOUvE0CGsSE9BLM:2E3O5uOO0mInnGZCTS84fZLtw
Malware Config
Extracted
xworm
5.0
5.182.87.154:7000
VMFidhoqn75fm5lJ
-
Install_directory
%Temp%
-
install_file
mdnsresp.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2648-10-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3444-6-0x00000000057C0000-0x0000000005808000-memory.dmp family_purelog_stealer -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2648-10-0x0000000000400000-0x0000000000410000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables packed with SmartAssembly 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3444-6-0x00000000057C0000-0x0000000005808000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe -
Drops startup file 2 IoCs
Processes:
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mdnsresp.lnk 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exedescription pid process target process PID 3444 set thread context of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exepid process 3264 powershell.exe 3264 powershell.exe 2748 powershell.exe 2748 powershell.exe 2748 powershell.exe 1544 powershell.exe 1544 powershell.exe 1544 powershell.exe 3444 powershell.exe 3444 powershell.exe 3444 powershell.exe 2536 powershell.exe 2536 powershell.exe 2536 powershell.exe 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe Token: SeDebugPrivilege 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exepid process 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exedescription pid process target process PID 3444 wrote to memory of 3264 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 3444 wrote to memory of 3264 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 3444 wrote to memory of 3264 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 3444 wrote to memory of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe PID 3444 wrote to memory of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe PID 3444 wrote to memory of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe PID 3444 wrote to memory of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe PID 3444 wrote to memory of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe PID 3444 wrote to memory of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe PID 3444 wrote to memory of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe PID 3444 wrote to memory of 2648 3444 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe PID 2648 wrote to memory of 2748 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 2748 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 2748 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 1544 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 1544 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 1544 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 3444 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 3444 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 3444 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 2536 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 2536 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe PID 2648 wrote to memory of 2536 2648 585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe"C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAANQA4ADUAZAAxAGYAYgA0AGYAMgA4ADgAOQA3ADQAYgA2ADgAMwBjADUAYQBiAGYAYgAxADAAYwA5ADcAZAA3AGQAMgBhAGUAMwBmADUAOQBjADIAYgBjAGYAZAA3ADgAYgBhADIANwAyAGUAMwBiAGUAMgBjAGQANwA4ADEANQAuAGUAeABlADsA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exeC:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe2⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815.exe.log
Filesize1KB
MD58c2da65103d6b46d8cf610b118210cf0
SHA19db4638340bb74f2af3161cc2c9c0b8b32e6ab65
SHA2560e48e2efd419951e0eb9a8d942493cfdf5540d1d19ff9dae6f145fb3ebcbeeac
SHA5123cf5a125276e264cd8478f2b92d3848fb68b96d46eb4a39e650d09df02068c274881a1c314cdfbfdcb452672fb70dd8becf3ffe9562d39919d9c4d6b07fbb614
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD54d745ee879a625891be21c705f4d281a
SHA1a7bd27d859b462e7d21d8b9f6a3ce66b9dbd2e08
SHA25652ab3c1d6f2b85b5d1a2d93c87848522cb01fa67311675be6a6daf03f0e7b814
SHA5122fb78a9d7947ec2b02a7a91ebd0adf2bd7c8a52b97a07d27b2edc25f18c1493d180ae0293080e2d3a191b8e358a01e1aa99f192e6b2234b564e6df89f1badfe8
-
Filesize
18KB
MD52089b2699a81b97383732345fc315b84
SHA14dedf5e3c85b48ac071ea47e3f2102d43a3912e0
SHA2564246c58639ac921bf67e783b18d87195744d745d9034125850095b73e47eb6da
SHA512a38985cb00cc0ccf82175d870343ac56d4cf61d4defc6caa660f8f27c9b17618bad4f64e7226ec1b0367469118c401cc92d80c40554b2a8d32c6d96d498eeb80
-
Filesize
18KB
MD5f650e7407077df0d7e1b0f8f5993efc5
SHA1a8a5f0f72d682d09d8225a4c16acce8f3b9b1881
SHA256ec02ed6338650d3765aed09d73af3d5c1c19157822843511eaa16a0f7ae4efa2
SHA512067e91fc6d616fa35cfb6bf7f56347ea3c5242bff597c337922e93399de23db6c05116d5e56d33c127ec2a9d1bbb59b002be4cdd224596833f851a034658656a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82