Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 14:53
Static task
static1
Behavioral task
behavioral1
Sample
cryptedfile.exe
Resource
win7-20240221-en
General
-
Target
cryptedfile.exe
-
Size
7.5MB
-
MD5
e6af53b2f350d68371d8a55a244b84f1
-
SHA1
0e245a4b8c8d421e98dfa537d11ed0d1d1a1f7d5
-
SHA256
cc9844de1e847151ddb427976e540e146af4508d6c97f86ea5badb7c65cf4437
-
SHA512
eb788765bfd6600beb08b8e975135c73e232696d70b2e1cc2fca9da63b66eecaba75ac1345e2925268a09f02f5d6d5f752297aa992c5407aed31d4fd71fc130d
-
SSDEEP
196608:748H+uHTXObt2xDo1Sa4EEY1wM1ZJjWh9+u4:M8H+SbOR2BUSavf1d1Zawu4
Malware Config
Extracted
xworm
127.0.0.1:52733
stories-boulevard.gl.at.ply.gg:52733
points-detect.gl.at.ply.gg:52733
points-detect.gl.at.ply.gg:35608:52733
region-vip.gl.at.ply.gg:52733
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot6976323003:AAGzNfsdTYlBPbGEbbSm--c7mAZ9PZzt9Xw/sendMessage?chat_id=5476035148
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000012254-6.dat family_xworm behavioral1/memory/2500-8-0x00000000009E0000-0x00000000009FA000-memory.dmp family_xworm -
Executes dropped EXE 4 IoCs
pid Process 2500 explorer.exe 2624 Built.exe 2200 Built.exe 1232 Process not Found -
Loads dropped DLL 4 IoCs
pid Process 2780 cryptedfile.exe 2624 Built.exe 2200 Built.exe 1232 Process not Found -
resource yara_rule behavioral1/files/0x0006000000016cd2-40.dat upx behavioral1/memory/2200-42-0x000007FEF26E0000-0x000007FEF2CCE000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2500 explorer.exe Token: SeDebugPrivilege 1692 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
pid Process 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe 1692 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2500 2780 cryptedfile.exe 28 PID 2780 wrote to memory of 2500 2780 cryptedfile.exe 28 PID 2780 wrote to memory of 2500 2780 cryptedfile.exe 28 PID 2780 wrote to memory of 2624 2780 cryptedfile.exe 29 PID 2780 wrote to memory of 2624 2780 cryptedfile.exe 29 PID 2780 wrote to memory of 2624 2780 cryptedfile.exe 29 PID 2624 wrote to memory of 2200 2624 Built.exe 30 PID 2624 wrote to memory of 2200 2624 Built.exe 30 PID 2624 wrote to memory of 2200 2624 Built.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\cryptedfile.exe"C:\Users\Admin\AppData\Local\Temp\cryptedfile.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD576eb1ad615ba6600ce747bf1acde6679
SHA1d3e1318077217372653be3947635b93df68156a4
SHA25630be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA5122b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb
-
Filesize
81KB
MD56d2de4d8e6da9b41140a5c67bdf549b0
SHA18774a939e41a7debb2bb784c0bb953d28fc53274
SHA2560c652dbd9acd1062ebd77d70f2f71d174e6584fc7ba52f2bb52435dd3c9c21f5
SHA5123959a3be932ef26109755663dca3ea2c2d6383163c26fb8011d242405a4ee533e73c60ef667c4025f23ba9d252cb07c1ac64715f7c00b8497fc320e019035a97
-
Filesize
7.4MB
MD5022c90d2b607ce098df042969f1ff10c
SHA1ba9e320d766bc4e131c51c115275dc0efe2b8df6
SHA25660e2391c0b640cbed4d5773ad9d65a54dd07e03afa18d410ef8b08d90a2a3b07
SHA51284cbcc875dd977d8b319fa68a472bf6ec3b7f923e43ab10fd88102bc02f46180820e427416bb5a95da57302b151703df298b9eb9c37ac93e98da0e181a7a5f31