Analysis
-
max time kernel
534s -
max time network
584s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 22:17
Behavioral task
behavioral1
Sample
Celex.exe
Resource
win10-20240319-en
General
-
Target
Celex.exe
-
Size
58KB
-
MD5
af5ab8ec02735b226012b4ccc32f9538
-
SHA1
0aafb5e705eab466acd93c3326e7bbfbd42e99fa
-
SHA256
58d433a331c64698a95d7bba2e28a5e1500a7b565bf322287941d6724906c3da
-
SHA512
eb84c3c92d87a6f9b6e094fcaf3e3b843fab9616b47cb43e81b37196c028b57da0b4591210a6213742ce37c04913a6ff25b633e4c8f22a364946adda6f747cdc
-
SSDEEP
1536:Q2Piu1AyI4e+ImmjG9bDbVh7c6D1Oc+7NYE:QE5Z59bDH7vRO77NYE
Malware Config
Extracted
xworm
come-devon.gl.at.ply.gg:22978
-
Install_directory
%Temp%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/3076-0-0x0000000000690000-0x00000000006A4000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Celex.lnk Celex.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Celex.lnk Celex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3108 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3076 Celex.exe Token: SeDebugPrivilege 3076 Celex.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3076 wrote to memory of 1648 3076 Celex.exe 97 PID 3076 wrote to memory of 1648 3076 Celex.exe 97 PID 1648 wrote to memory of 3108 1648 cmd.exe 99 PID 1648 wrote to memory of 3108 1648 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Celex.exe"C:\Users\Admin\AppData\Local\Temp\Celex.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp339.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3108
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD5d8c34c1d65d067607fcfca138fa627ad
SHA1c57a4cfef222a4192b751c2896221609ebd00ef0
SHA256d59fd538f02d362d9ce5f024372c07ac7c7bfe87ed453f3c1c23fc4f59b4380d
SHA512618dcf8acf5acd60b5a06a7d71b522650ceed1d7fb7a5fe7dbaf26928168640864990fb46bad3f82ff442033ed0d80354f93fc9b458e3e7d073e09b3f824b057