Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
-
submitted
06/04/2024, 02:17
General
-
Target
Krampus/23vcD1orbL.exe
-
Size
1.3MB
-
MD5
d48c30f50906d73b06aabec4a3c0ef96
-
SHA1
4ed2965e2c48d3e35a3e4e1ea8781d3761de94a5
-
SHA256
71015901a4bbe9f7f81a3f899bf7c21ceca2a332e272e31a4d6d2b6b4f71a59f
-
SHA512
71eb7ca54f7f1019716c9e5a323d0ffa892a6485fe387044deb9fe431e809bd2f8be5e35f3aba185eb53d437fc63a5a66704815b612e6ea960220610d459265f
-
SSDEEP
1536:c/G4iM3eweCmtR8K/ddBNm/LBOK+kAYxQb1biW3+FQxEfOO701d67/fxU9:cOrZ8kyt3AYeb1WRSEfO1vd9
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/z5PQ82wE
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Krampus\23vcD1orbL.exe"C:\Users\Admin\AppData\Local\Temp\Krampus\23vcD1orbL.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5d48c30f50906d73b06aabec4a3c0ef96
SHA14ed2965e2c48d3e35a3e4e1ea8781d3761de94a5
SHA25671015901a4bbe9f7f81a3f899bf7c21ceca2a332e272e31a4d6d2b6b4f71a59f
SHA51271eb7ca54f7f1019716c9e5a323d0ffa892a6485fe387044deb9fe431e809bd2f8be5e35f3aba185eb53d437fc63a5a66704815b612e6ea960220610d459265f
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB