Analysis
-
max time kernel
48s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 23:45
Behavioral task
behavioral1
Sample
B1OdUv8CBH.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
B1OdUv8CBH.exe
Resource
win10v2004-20240412-en
General
-
Target
B1OdUv8CBH.exe
-
Size
1.0MB
-
MD5
73a20ee98214059033a93ff5da62d903
-
SHA1
a35422a4969f7d79fc9cf597cf40b7456d5b05d8
-
SHA256
5df7cf7c7d153a0e55b0ca9299d00c26625e70cff3613540c5718fe74e4c7d12
-
SHA512
7c3b08ebbc57467aa3615b14d7ea6f629e03e49c17d6268f62345cc58f4ca9823e45ef101c1e247db354ca944481470f94f9c226bc7774f78da9ad0185a76b47
-
SSDEEP
1536:ZAiYlXZeFi9eKNVlb8i7ZUNQmD4O+HoddUT:anpo2Xb8C8D4OUoET
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/z5PQ82wE
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2412-0-0x0000000000920000-0x000000000093A000-memory.dmp family_xworm C:\ProgramData\svchost.exe family_xworm behavioral1/memory/2908-11-0x00000000013B0000-0x00000000013CA000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
B1OdUv8CBH.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk B1OdUv8CBH.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk B1OdUv8CBH.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2908 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
B1OdUv8CBH.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" B1OdUv8CBH.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
B1OdUv8CBH.exepid process 2412 B1OdUv8CBH.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
B1OdUv8CBH.exepid process 2412 B1OdUv8CBH.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
B1OdUv8CBH.exesvchost.exedescription pid process Token: SeDebugPrivilege 2412 B1OdUv8CBH.exe Token: SeDebugPrivilege 2412 B1OdUv8CBH.exe Token: SeDebugPrivilege 2908 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
B1OdUv8CBH.exepid process 2412 B1OdUv8CBH.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
B1OdUv8CBH.exetaskeng.exedescription pid process target process PID 2412 wrote to memory of 2584 2412 B1OdUv8CBH.exe schtasks.exe PID 2412 wrote to memory of 2584 2412 B1OdUv8CBH.exe schtasks.exe PID 2412 wrote to memory of 2584 2412 B1OdUv8CBH.exe schtasks.exe PID 2512 wrote to memory of 2908 2512 taskeng.exe svchost.exe PID 2512 wrote to memory of 2908 2512 taskeng.exe svchost.exe PID 2512 wrote to memory of 2908 2512 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\B1OdUv8CBH.exe"C:\Users\Admin\AppData\Local\Temp\B1OdUv8CBH.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {CDB002CA-E16A-49DB-8CB1-F079C6BDDB92} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svchost.exeFilesize
1.0MB
MD573a20ee98214059033a93ff5da62d903
SHA1a35422a4969f7d79fc9cf597cf40b7456d5b05d8
SHA2565df7cf7c7d153a0e55b0ca9299d00c26625e70cff3613540c5718fe74e4c7d12
SHA5127c3b08ebbc57467aa3615b14d7ea6f629e03e49c17d6268f62345cc58f4ca9823e45ef101c1e247db354ca944481470f94f9c226bc7774f78da9ad0185a76b47
-
memory/2412-0-0x0000000000920000-0x000000000093A000-memory.dmpFilesize
104KB
-
memory/2412-1-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmpFilesize
9.9MB
-
memory/2412-2-0x0000000001E90000-0x0000000001F10000-memory.dmpFilesize
512KB
-
memory/2412-7-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmpFilesize
9.9MB
-
memory/2412-13-0x0000000001E90000-0x0000000001F10000-memory.dmpFilesize
512KB
-
memory/2908-11-0x00000000013B0000-0x00000000013CA000-memory.dmpFilesize
104KB
-
memory/2908-12-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmpFilesize
9.9MB
-
memory/2908-14-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmpFilesize
9.9MB