Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 14:26
Static task
static1
Behavioral task
behavioral1
Sample
68WAntiLagApp_protected.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
68WAntiLagApp_protected.exe
Resource
win10v2004-20240226-en
General
-
Target
68WAntiLagApp_protected.exe
-
Size
203KB
-
MD5
9e814f107ec4f396add666fd5ff724cf
-
SHA1
2fe31b58361f63f172031431bce91630a4d31b36
-
SHA256
5f6d2b2e54fd3058a6c664c5b9763e59ffb8f9b4de5db74611f7b93178a065af
-
SHA512
d1473359577a8c07c834ee31e95d52c749cc53200fd0df8a4e88a81cc5b19b6cc0c04c0664f3261acd10ed3346b55fdc1a45793ec36684f3b10649c26d863fd3
-
SSDEEP
3072:p8PfBGaeVMhi5ys3UGVmaxpbJnzIs0+M2njqhYUSWw8jXbt1MJBTswdT+WLo2/J:p8n/hiws3hsaxpb8+VnQ7XbS
Malware Config
Extracted
xworm
region-vip.gl.at.ply.gg:52733
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot6976323003:AAGzNfsdTYlBPbGEbbSm--c7mAZ9PZzt9Xw/sendMessage?chat_id=5476035148
Signatures
-
Detect Xworm Payload 6 IoCs
resource yara_rule behavioral1/memory/3032-7-0x0000000000400000-0x0000000000430000-memory.dmp family_xworm behavioral1/memory/3032-8-0x0000000000400000-0x0000000000430000-memory.dmp family_xworm behavioral1/memory/3032-11-0x0000000000400000-0x0000000000430000-memory.dmp family_xworm behavioral1/memory/3032-18-0x0000000000400000-0x0000000000430000-memory.dmp family_xworm behavioral1/memory/3032-14-0x0000000000400000-0x0000000000430000-memory.dmp family_xworm behavioral1/memory/2216-21-0x0000000002AE0000-0x0000000002B20000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk RegAsm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk RegAsm.exe -
Executes dropped EXE 3 IoCs
pid Process 2328 explorer.exe 2912 explorer.exe 1496 explorer.exe -
Loads dropped DLL 1 IoCs
pid Process 3032 RegAsm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.exe.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2316 set thread context of 3032 2316 68WAntiLagApp_protected.exe 32 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 940 schtasks.exe 2760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2316 68WAntiLagApp_protected.exe 2216 powershell.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2316 68WAntiLagApp_protected.exe Token: SeDebugPrivilege 3032 RegAsm.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 3032 RegAsm.exe Token: SeDebugPrivilege 1716 taskmgr.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe 1716 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1664 mspaint.exe 1664 mspaint.exe 1664 mspaint.exe 1664 mspaint.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2216 2316 68WAntiLagApp_protected.exe 28 PID 2316 wrote to memory of 2216 2316 68WAntiLagApp_protected.exe 28 PID 2316 wrote to memory of 2216 2316 68WAntiLagApp_protected.exe 28 PID 2316 wrote to memory of 2216 2316 68WAntiLagApp_protected.exe 28 PID 2316 wrote to memory of 2740 2316 68WAntiLagApp_protected.exe 30 PID 2316 wrote to memory of 2740 2316 68WAntiLagApp_protected.exe 30 PID 2316 wrote to memory of 2740 2316 68WAntiLagApp_protected.exe 30 PID 2316 wrote to memory of 2740 2316 68WAntiLagApp_protected.exe 30 PID 2740 wrote to memory of 940 2740 cmd.exe 33 PID 2740 wrote to memory of 940 2740 cmd.exe 33 PID 2740 wrote to memory of 940 2740 cmd.exe 33 PID 2740 wrote to memory of 940 2740 cmd.exe 33 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 2316 wrote to memory of 3032 2316 68WAntiLagApp_protected.exe 32 PID 3032 wrote to memory of 2760 3032 RegAsm.exe 34 PID 3032 wrote to memory of 2760 3032 RegAsm.exe 34 PID 3032 wrote to memory of 2760 3032 RegAsm.exe 34 PID 3032 wrote to memory of 2760 3032 RegAsm.exe 34 PID 1896 wrote to memory of 2328 1896 taskeng.exe 38 PID 1896 wrote to memory of 2328 1896 taskeng.exe 38 PID 1896 wrote to memory of 2328 1896 taskeng.exe 38 PID 1896 wrote to memory of 2328 1896 taskeng.exe 38 PID 1896 wrote to memory of 2912 1896 taskeng.exe 44 PID 1896 wrote to memory of 2912 1896 taskeng.exe 44 PID 1896 wrote to memory of 2912 1896 taskeng.exe 44 PID 1896 wrote to memory of 2912 1896 taskeng.exe 44 PID 1896 wrote to memory of 1496 1896 taskeng.exe 47 PID 1896 wrote to memory of 1496 1896 taskeng.exe 47 PID 1896 wrote to memory of 1496 1896 taskeng.exe 47 PID 1896 wrote to memory of 1496 1896 taskeng.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe"C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'explorer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'explorer' -Value '"C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \explorer /tr "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f2⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \explorer /tr "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:940
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
PID:2760
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {73A08273-ECBF-483B-A8B8-F1EBED3A1075} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
PID:2912
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
PID:1496
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1664
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab