Analysis
-
max time kernel
147s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 12:20
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231129-en
General
-
Target
tmp.exe
-
Size
427KB
-
MD5
884939ef6ce29bd82add03e94a61abb9
-
SHA1
ae52176f4928a3bf19513bd95fc4251ba8db5d5a
-
SHA256
9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b
-
SHA512
268b662e74580e948ae73d5d3005e0b9fcfb90c72a0f391bab980c55af0573a1e1082eb5d8b0940f3255d14f8a42901365582b52d9f21032bad125b55b0ea86f
-
SSDEEP
12288:iXQhmNReC7nFPfkhkyDW7AUz29BbOy9Md:ighY57nyNUzcAMM
Malware Config
Extracted
xworm
210.246.215.82:7000
-
Install_directory
%ProgramData%
-
install_file
WindowsNT.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023228-16.dat family_xworm behavioral2/memory/116-27-0x0000000000060000-0x00000000000BA000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation tmp.exe -
Executes dropped EXE 2 IoCs
pid Process 1320 Macro_Easy.exe 116 s.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1320 Macro_Easy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 116 s.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4240 wrote to memory of 1320 4240 tmp.exe 86 PID 4240 wrote to memory of 1320 4240 tmp.exe 86 PID 4240 wrote to memory of 1320 4240 tmp.exe 86 PID 4240 wrote to memory of 116 4240 tmp.exe 87 PID 4240 wrote to memory of 116 4240 tmp.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\ProgramData\Macro_Easy.exe"C:\ProgramData\Macro_Easy.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1320
-
-
C:\ProgramData\s.exe"C:\ProgramData\s.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5d18b6490413f70ca609f3166bc99a91e
SHA1252bb5b5082ca99ddbff5d3c44df3b37f314ce6b
SHA2560a81479feb0ab55cde79ea66787f9db686b774c3a374fca280a74331b02a9649
SHA5128188edbc14eb8bf05a0e9222527c4c5378c6b6eaeae21240cc50aeba8fc1f7a8310c852a27410b8faade5e821161e8663ee46d5c4b833a32beab0f145e820781
-
Filesize
336KB
MD58df47fa5b39878fb3d17c6fff264e1a4
SHA1425862283b0fb65ad75138203aa2d4fe331febd0
SHA256829371e9f7b8108a3597cd80e432557069b217a1c3dd01b6d715597a82b611ee
SHA51283435d70582e4493d0f4ef2bbf38931b2dc3a743fba82199c7e65dd295ad2d0f726df27beca041217c2d0b6a1e1c5c7902a74655efefaec089c0535974bce0a1