Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 14:26
Static task
static1
Behavioral task
behavioral1
Sample
68WAntiLagApp_protected.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
68WAntiLagApp_protected.exe
Resource
win10v2004-20240226-en
General
-
Target
68WAntiLagApp_protected.exe
-
Size
203KB
-
MD5
9e814f107ec4f396add666fd5ff724cf
-
SHA1
2fe31b58361f63f172031431bce91630a4d31b36
-
SHA256
5f6d2b2e54fd3058a6c664c5b9763e59ffb8f9b4de5db74611f7b93178a065af
-
SHA512
d1473359577a8c07c834ee31e95d52c749cc53200fd0df8a4e88a81cc5b19b6cc0c04c0664f3261acd10ed3346b55fdc1a45793ec36684f3b10649c26d863fd3
-
SSDEEP
3072:p8PfBGaeVMhi5ys3UGVmaxpbJnzIs0+M2njqhYUSWw8jXbt1MJBTswdT+WLo2/J:p8n/hiws3hsaxpb8+VnQ7XbS
Malware Config
Extracted
xworm
region-vip.gl.at.ply.gg:52733
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot6976323003:AAGzNfsdTYlBPbGEbbSm--c7mAZ9PZzt9Xw/sendMessage?chat_id=5476035148
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/1064-4-0x0000000000400000-0x0000000000430000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk RegAsm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk RegAsm.exe -
Executes dropped EXE 3 IoCs
pid Process 968 explorer.exe 2456 explorer.exe 4508 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.exe.exe" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1624 set thread context of 1064 1624 68WAntiLagApp_protected.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5044 schtasks.exe 4660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1624 68WAntiLagApp_protected.exe 4996 powershell.exe 4996 powershell.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1624 68WAntiLagApp_protected.exe Token: SeDebugPrivilege 1064 RegAsm.exe Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 1064 RegAsm.exe Token: SeDebugPrivilege 4560 taskmgr.exe Token: SeSystemProfilePrivilege 4560 taskmgr.exe Token: SeCreateGlobalPrivilege 4560 taskmgr.exe Token: 33 4560 taskmgr.exe Token: SeIncBasePriorityPrivilege 4560 taskmgr.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe 4560 taskmgr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1624 wrote to memory of 4996 1624 68WAntiLagApp_protected.exe 89 PID 1624 wrote to memory of 4996 1624 68WAntiLagApp_protected.exe 89 PID 1624 wrote to memory of 4996 1624 68WAntiLagApp_protected.exe 89 PID 1624 wrote to memory of 3656 1624 68WAntiLagApp_protected.exe 90 PID 1624 wrote to memory of 3656 1624 68WAntiLagApp_protected.exe 90 PID 1624 wrote to memory of 3656 1624 68WAntiLagApp_protected.exe 90 PID 1624 wrote to memory of 1064 1624 68WAntiLagApp_protected.exe 92 PID 1624 wrote to memory of 1064 1624 68WAntiLagApp_protected.exe 92 PID 1624 wrote to memory of 1064 1624 68WAntiLagApp_protected.exe 92 PID 1624 wrote to memory of 1064 1624 68WAntiLagApp_protected.exe 92 PID 1624 wrote to memory of 1064 1624 68WAntiLagApp_protected.exe 92 PID 1624 wrote to memory of 1064 1624 68WAntiLagApp_protected.exe 92 PID 1624 wrote to memory of 1064 1624 68WAntiLagApp_protected.exe 92 PID 1624 wrote to memory of 1064 1624 68WAntiLagApp_protected.exe 92 PID 3656 wrote to memory of 5044 3656 cmd.exe 94 PID 3656 wrote to memory of 5044 3656 cmd.exe 94 PID 3656 wrote to memory of 5044 3656 cmd.exe 94 PID 1064 wrote to memory of 4660 1064 RegAsm.exe 99 PID 1064 wrote to memory of 4660 1064 RegAsm.exe 99 PID 1064 wrote to memory of 4660 1064 RegAsm.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe"C:\Users\Admin\AppData\Local\Temp\68WAntiLagApp_protected.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'explorer';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'explorer' -Value '"C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe"' -PropertyType 'String'2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \explorer /tr "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f2⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \explorer /tr "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:5044
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Creates scheduled task(s)
PID:4660
-
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
PID:968
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
PID:2456
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4560
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2152
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
PID:4508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
778B
MD53d1ce826bf40e13c5e77d2b8f8f44316
SHA1f79cbf9e5913391236182c82e8bfcdb9b787ec18
SHA2569ddc8a468e10a4d42af997f4352ae6ee826efd145ba6be186f2c20e4d916c958
SHA512e610cfa7031aa7f7cfb2ebd1903d655dd93f0ec7d19726f24009a44e1e15dacc726cd42928e57cbf90a987281deb5c493d27ffc3f77a323a5caff7370985478f
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2