Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 13:00
Static task
static1
Behavioral task
behavioral1
Sample
iz.ps1
Resource
win7-20240221-en
General
-
Target
iz.ps1
-
Size
24.8MB
-
MD5
d6d2774f2652911f79c0f6fa94020638
-
SHA1
749fc037702e6dd840b6e927856e933d2292c8c6
-
SHA256
ad6e95aef11205d3316d246a22541618d8dfa344f2a13208af09f2c542260e24
-
SHA512
70d200fcda1a5c2596ec990cb6933da2e1c3b16065bbd2642542a11545f8ff11cce1820380dedc8c06e18df70aae8ba433f472c761a7e302a1b4fc2d4ff5b778
-
SSDEEP
49152:h3qXqynxhOaNH6GUnvLn9DT25vj3rREpM65U90qgekZ55ZsfrJQLUcEiDuEPVOhA:L
Malware Config
Extracted
xworm
3.1
freshinxworm.ddns.net:7000
rzmpI3rbDJo6Nlqt
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/3392-21-0x000001F446320000-0x000001F446330000-memory.dmp family_xworm behavioral2/memory/3392-33-0x000001F45ED20000-0x000001F45ED30000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2496 created 3536 2496 powershell.exe 57 -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk notepad.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk notepad.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2496 powershell.exe 2496 powershell.exe 2496 powershell.exe 3392 notepad.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 2496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 3392 notepad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3392 notepad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92 PID 2496 wrote to memory of 3392 2496 powershell.exe 92
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\iz.ps12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
-
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3392
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82