Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
Krampus V1.0.3.exe
Resource
win7-20240221-en
General
-
Target
Krampus V1.0.3.exe
-
Size
7.6MB
-
MD5
8720aba46da0b8648491f6d074647618
-
SHA1
ab1e7f51c8dd4e686d498a394c184339fefc10cc
-
SHA256
67346337782fbd66c3b5f77e9a873a5078f5936625848ebee8b592c715daf7f3
-
SHA512
095596fcfdca3f9141c13e41a39ed0e59486d1d3824b14de6639af6ed32e634ef0fad6f4d50fc5a184059d5897d440e86a082d9b944b7b01a9a6bdbde9f066ac
-
SSDEEP
196608:NMt+dnIdHWxdKHoYOeXRihlWu8YgoPIM:NMt+uoxmomX8hlzgOIM
Malware Config
Extracted
xworm
north-untitled.gl.at.ply.gg:29298
-
Install_directory
%Userprofile%
-
install_file
discord.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000014a94-43.dat family_xworm behavioral1/memory/2764-45-0x0000000000870000-0x00000000008B2000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk XClient.exe -
Executes dropped EXE 4 IoCs
pid Process 2764 XClient.exe 1252 Built.exe 1832 Built.exe 1396 Process not Found -
Loads dropped DLL 3 IoCs
pid Process 2804 Krampus V1.0.3.exe 1832 Built.exe 1396 Process not Found -
resource yara_rule behavioral1/files/0x0006000000016c90-87.dat upx behavioral1/memory/1832-90-0x000007FEF1E70000-0x000007FEF2460000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\System32\\test.bat" Krampus V1.0.3.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Windows\\System32\\XClient.exe" Krampus V1.0.3.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Windows\\System32\\Built.exe" Krampus V1.0.3.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\discord.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\System32\test.bat Krampus V1.0.3.exe File opened for modification C:\Windows\System32\test.bat Krampus V1.0.3.exe File created C:\Windows\System32\XClient.exe Krampus V1.0.3.exe File opened for modification C:\Windows\System32\XClient.exe Krampus V1.0.3.exe File created C:\Windows\System32\Built.exe Krampus V1.0.3.exe File opened for modification C:\Windows\System32\Built.exe Krampus V1.0.3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2552 schtasks.exe 1412 schtasks.exe 1536 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2496 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1896 powershell.exe 2460 powershell.exe 2388 powershell.exe 800 powershell.exe 2420 powershell.exe 2596 powershell.exe 1072 powershell.exe 2764 XClient.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2764 XClient.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 2764 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2764 XClient.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2804 wrote to memory of 1896 2804 Krampus V1.0.3.exe 28 PID 2804 wrote to memory of 1896 2804 Krampus V1.0.3.exe 28 PID 2804 wrote to memory of 1896 2804 Krampus V1.0.3.exe 28 PID 2804 wrote to memory of 2528 2804 Krampus V1.0.3.exe 30 PID 2804 wrote to memory of 2528 2804 Krampus V1.0.3.exe 30 PID 2804 wrote to memory of 2528 2804 Krampus V1.0.3.exe 30 PID 2804 wrote to memory of 2460 2804 Krampus V1.0.3.exe 31 PID 2804 wrote to memory of 2460 2804 Krampus V1.0.3.exe 31 PID 2804 wrote to memory of 2460 2804 Krampus V1.0.3.exe 31 PID 2804 wrote to memory of 2552 2804 Krampus V1.0.3.exe 34 PID 2804 wrote to memory of 2552 2804 Krampus V1.0.3.exe 34 PID 2804 wrote to memory of 2552 2804 Krampus V1.0.3.exe 34 PID 2804 wrote to memory of 2764 2804 Krampus V1.0.3.exe 36 PID 2804 wrote to memory of 2764 2804 Krampus V1.0.3.exe 36 PID 2804 wrote to memory of 2764 2804 Krampus V1.0.3.exe 36 PID 2804 wrote to memory of 2388 2804 Krampus V1.0.3.exe 37 PID 2804 wrote to memory of 2388 2804 Krampus V1.0.3.exe 37 PID 2804 wrote to memory of 2388 2804 Krampus V1.0.3.exe 37 PID 2804 wrote to memory of 1412 2804 Krampus V1.0.3.exe 39 PID 2804 wrote to memory of 1412 2804 Krampus V1.0.3.exe 39 PID 2804 wrote to memory of 1412 2804 Krampus V1.0.3.exe 39 PID 2804 wrote to memory of 1252 2804 Krampus V1.0.3.exe 41 PID 2804 wrote to memory of 1252 2804 Krampus V1.0.3.exe 41 PID 2804 wrote to memory of 1252 2804 Krampus V1.0.3.exe 41 PID 1252 wrote to memory of 1832 1252 Built.exe 42 PID 1252 wrote to memory of 1832 1252 Built.exe 42 PID 1252 wrote to memory of 1832 1252 Built.exe 42 PID 2764 wrote to memory of 800 2764 XClient.exe 44 PID 2764 wrote to memory of 800 2764 XClient.exe 44 PID 2764 wrote to memory of 800 2764 XClient.exe 44 PID 2764 wrote to memory of 2420 2764 XClient.exe 46 PID 2764 wrote to memory of 2420 2764 XClient.exe 46 PID 2764 wrote to memory of 2420 2764 XClient.exe 46 PID 2764 wrote to memory of 2596 2764 XClient.exe 48 PID 2764 wrote to memory of 2596 2764 XClient.exe 48 PID 2764 wrote to memory of 2596 2764 XClient.exe 48 PID 2764 wrote to memory of 1072 2764 XClient.exe 50 PID 2764 wrote to memory of 1072 2764 XClient.exe 50 PID 2764 wrote to memory of 1072 2764 XClient.exe 50 PID 2764 wrote to memory of 1536 2764 XClient.exe 52 PID 2764 wrote to memory of 1536 2764 XClient.exe 52 PID 2764 wrote to memory of 1536 2764 XClient.exe 52 PID 2764 wrote to memory of 2616 2764 XClient.exe 56 PID 2764 wrote to memory of 2616 2764 XClient.exe 56 PID 2764 wrote to memory of 2616 2764 XClient.exe 56 PID 2764 wrote to memory of 2564 2764 XClient.exe 58 PID 2764 wrote to memory of 2564 2764 XClient.exe 58 PID 2764 wrote to memory of 2564 2764 XClient.exe 58 PID 2564 wrote to memory of 2496 2564 cmd.exe 60 PID 2564 wrote to memory of 2496 2564 cmd.exe 60 PID 2564 wrote to memory of 2496 2564 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.3.exe"C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.bat'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Windows\System32\test.bat" "2⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "XClient" /SC ONLOGON /TR "C:\Windows\System32\XClient.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:2552
-
-
C:\Windows\System32\XClient.exe"C:\Windows\System32\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\discord.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\discord.exe"3⤵
- Creates scheduled task(s)
PID:1536
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord"3⤵PID:2616
-
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3208.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2496
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:1412
-
-
C:\Windows\System32\Built.exe"C:\Windows\System32\Built.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\System32\Built.exe"C:\Windows\System32\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5b167b98fc5c89d65cb1fa8df31c5de13
SHA13a6597007f572ea09ed233d813462e80e14c5444
SHA25628eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76
SHA51240a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8
-
Filesize
145B
MD5a69732b479e547dcae9a109db86c9448
SHA1f4e0c91914c743b5e5ad7bffbb54e60e71b9694b
SHA2568267252e6aa97d053e92df26f9bdf85c8f80c4d8e29ed8c876aa5cf7521e5c07
SHA51206fd4e3b4d64ee3d0ab4c9a00e895b200897491dd6d47f23be1d1040e1fbbf9e7329dafb583e4266eb639c75532fbd4f351b9a1ec53487b3fd93c25eccc7e8d0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5403d0994778c1db58c3b94abff86a194
SHA12bc1468f1d03eb0347d9874495509f6851ea3dbf
SHA256f47dab29042763776c288650c407d071291259c3bc99785390db64f53be0ec31
SHA5121ea790863017f131ba224b203cff9b1d4a281e8a5bff87e903db8ff0d505586b290ee3c3db0cef5956e6d02804855deaf40e1326db4b1e1d94d38a1af1ed0da1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c8714b23ab109867eb11bfa5c7567e03
SHA1cb4dfd9d8f1809df91c5579eb0a069cefcc1c2e7
SHA256999275f7792f1118c63afda79239752ad85218333b334e5c6e38f3ca5a67f9d7
SHA51291ef29f76430def39dbb28d51d3c0fc8a683c9e35955ab2bfc0c4010c5ead12d43e21fd6636c824422c72642349052beb203123017b44e5387626b131e845a43
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5aa123fb5605d4fd562f0863d1d943d6e
SHA13eccb2567d69e5c19c6d79b490ae17b0db1b16ac
SHA25666e9954a94214b377c2d7333383016ff97bb68fc7bf9e024d562fb87ac2a9af3
SHA512934fc6457fa67780f54c5eda8d5934b6a1171a7c05b9b0f28d0ffc1671b87bc401c9bd51f3747994706b6c070cd40df671da8151040c9382e337a5bda758f00a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YTDYGSK7VDOBKY2YX82W.temp
Filesize7KB
MD57fc6e8ee5116e04a71ceb06e462615b8
SHA1f5e3593b03aedb8ea7862a9f7f9278ff57fd3369
SHA2560f5390f7400e393a7580260f57b2950e12b79bc5dd4f9c30a4cbde22353672e1
SHA512045426f26efb208326446a17ef6d9f7cb0d4f9b9a54f3eae1766b30e9dea2cd1f48c5837155b67e40210f79b0e0a5295c602c1bc7cab2b73d508bed6575e56c1
-
Filesize
5.9MB
MD5467f008fa75fa239d1ccc9d1e3e7b867
SHA1f339ecb9972da4b71146f9cd672025725bef4d53
SHA2560707f66c17bd5ea314704d35bf1f85f3dfbedc4821d963739cd25227e11f7e39
SHA512cb73f1b7073df084c86831bc6cc5ee9ee621152fc405907c9530d1f3801624b24f471671076e24741e42fa0095799b20507dc52589237eac6f2d341700264cff
-
Filesize
5.8MB
MD565e2de6c7fba98b7a145c5f5e7018eaa
SHA18d3722f1fe79eaf55b4a5624143da0d317be4488
SHA2565ad044d72cece9f78282d6b26f96f3505dc64601d5d6256165cdf7a9bbae9b8c
SHA512265e801ed35535f3919b18bf490ed080a26a13468422308445ba7ae5db1042b5f1da3809fb38d849aeead9dbf689494a8b7332c465d37855a2968ef143105925
-
Filesize
242KB
MD57bd5abbfcd57e7565e7778bf1157b816
SHA1a5785d5dae2bb92978f277a4f68e7e682ac4834b
SHA2566b7bfe55c3d4223bb868889fd56c5518fbc3784f6f1d96605c38943cfe004a85
SHA512d8ad281a2e8a8c4d84d90f2b7d57846733889c280ceccfa20c2a0053e7dfc16a1783621942b0e1032e5b273fe4bec1a0627c52831128eff878a15f2b84eddfdf
-
Filesize
435B
MD540f36b839af3aad8887e3cfe758efab8
SHA12d60ce25bf47ce4c4969cd73bd204491a3e2d18e
SHA256c9650c17cca714b78e175479a9d9bcf2b6d01629d00418fc2f2b9167563ecb1d
SHA51213ee91dde3b5c6920fc94df15e1d37f66f009a3b5d770fc747d7000a8c4d5091dddaf642b3f1edf01e3ac7f63b652576525401a801c6e4f7621860070f667f8c
-
Filesize
6.4MB
MD55e3dc58f3e6fdefed0067cd28e489e9a
SHA1a056293c89509016cb599dd613141b6a4ef971dd
SHA256839f8f85fb4b8fcbe14745c625b26113fc01bf1a6566369f86c0242c1b149239
SHA51289e359fe91f2c19bf995f5c6cd131c46f72a346d8f7bfc9ce9eb3f70c7db165376258f6fa3cd097f520cd3b2d9b209ac40cfa04c00562b9f0e00090bb2a01c49