Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe

  • Size

    50KB

  • MD5

    fe7c4b36fca4fdf53789979a4a09c880

  • SHA1

    89caf7f3b9f4d7d732ade5593e1958f6f025afa1

  • SHA256

    1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470

  • SHA512

    e0668f6dfda991ab07870d53ce291f73d48533c44dfed1178c8b98b57c799eb77f19451bc70d09caaf757bf18ef6217b44e7fc626b38c89261dc8920796339f3

  • SSDEEP

    768:mDrJUAkwf3ppZuBdrm+KiPxWEh9HgPxWEjj4G:8rkwf3ppZRsPxZgPx94G

Score
10/10
hermeticwiperxwormzgratpersistencerattrojanwiper

Malware Config

Extracted

Family

xworm

Version

3.1

C2

gamemodz.duckdns.org:6969

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect HermeticWiper 1 IoCs

    Detect HermeticWiper Payload.

    wiper
  • Detect Xworm Payload 1 IoCs
  • Detect ZGRat V1 34 IoCs
  • HermeticWiper

    HermeticWiper is a partition-corrupting malware used in cyberattacks against Ukrainian organizations.

    wiperhermeticwiper
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops file in Drivers directory 3 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe
    "C:\Users\Admin\AppData\Local\Temp\1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cvtres" /tr "C:\Users\Admin\AppData\Roaming\cvtres.exe"
        3⤵
        • Creates scheduled task(s)
        PID:688
      • C:\Users\Admin\AppData\Local\Temp\kgmqth.exe
        "C:\Users\Admin\AppData\Local\Temp\kgmqth.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\kgmqth.exe
      Filesize

      114KB

      MD5

      3f4a16b29f2f0532b7ce3e7656799125

      SHA1

      61b25d11392172e587d8da3045812a66c3385451

      SHA256

      1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

      SHA512

      32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cvtres.exe
      Filesize

      45KB

      MD5

      70d838a7dc5b359c3f938a71fad77db0

      SHA1

      66b83eb16481c334719eed406bc58a3c2b910923

      SHA256

      e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea

      SHA512

      9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034

      Download Submit

    • memory/2820-4895-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2820-4896-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2820-4897-0x00000000057D0000-0x000000000586C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2820-4899-0x00000000059D0000-0x00000000059E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2820-4898-0x0000000005870000-0x00000000058D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2820-4909-0x00000000059D0000-0x00000000059E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2820-4908-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4296-35-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-47-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-6-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-7-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-9-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-13-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-11-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-15-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-17-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-19-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-21-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-23-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-25-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-27-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-29-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-31-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-33-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-4-0x00000000069F0000-0x0000000006F94000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4296-37-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-39-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-41-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-43-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-45-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-5-0x0000000006540000-0x00000000065D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4296-49-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-51-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-53-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-55-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-57-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-59-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-61-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-63-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-65-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-67-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-69-0x0000000006210000-0x0000000006430000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-1556-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4296-1761-0x00000000059C0000-0x00000000059D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4296-4888-0x0000000000F80000-0x0000000000F81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4296-4889-0x0000000001830000-0x0000000001892000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4296-4890-0x0000000001890000-0x00000000018DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4296-3-0x0000000006210000-0x0000000006436000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4296-2-0x00000000059C0000-0x00000000059D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4296-1-0x0000000000EB0000-0x0000000000EBE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4296-0-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4296-4891-0x0000000001960000-0x00000000019B4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4296-4894-0x00000000747D0000-0x0000000074F80000-memory.dmp

      Filesize

      7.7MB

      Download