Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-04-2024 15:39
Behavioral task
behavioral1
Sample
TestRun.exe
Resource
win11-20240412-en
General
-
Target
TestRun.exe
-
Size
56KB
-
MD5
594c098d8e2cf8fc36669b3398b7bd5a
-
SHA1
e0cf7de523b55b53ca5881c35090c5106b2041b8
-
SHA256
06a8d5dde4323a28db52b3932c55c42fa0a9c1c47d4b2a289cf6466b03b3f60b
-
SHA512
a2febefa9cc0d1b80cc49ffb3b50c2552b2727c826b041c26c35ba31c725d2cd580ab7a9f6260a5cbe568f026080fe77f386403573ef206b3c3ae54ec35771bc
-
SSDEEP
768:Up3yq/UiGz5EfnLQRySsQLp+pdVQ3apATb9c5h4uaNvjczO5h5tZ2HI:u3yq/dsu/8oSsIp+LVQbb9bLN6O5rb
Malware Config
Extracted
xworm
uk2.localto.net:37847
-
Install_directory
%ProgramData%
-
install_file
Google.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3364-0-0x0000000000130000-0x0000000000144000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
TestRun.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.lnk TestRun.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.lnk TestRun.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TestRun.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google = "C:\\ProgramData\\Google.exe" TestRun.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
TestRun.exepid process 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe 3364 TestRun.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TestRun.exedescription pid process Token: SeDebugPrivilege 3364 TestRun.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MiniSearchHost.exeTestRun.exepid process 3052 MiniSearchHost.exe 3364 TestRun.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TestRun.exe"C:\Users\Admin\AppData\Local\Temp\TestRun.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD5e51dafe414a652360bb13068cb89f30e
SHA170cf874ffedbb7dc2422530261193fd6a0b6271c
SHA25658e87eb01269c20618026620782ab6409efe3fc42607a9d9c380823b661d37e7
SHA512bc894af738c4270b0293b2b49e897c74e5a8777c90a6f11a158f5c1e8b3dd9179f05a884e3d9768fe1f1b1979f92df9b19e2df5c05cf21d36949e092051f072a
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD55b431d6f7e2b9ad35ba13b2d16cb21e3
SHA1db0a9b00ca39f14ee5be3269b8527bdf65ae2fc1
SHA25663e00add8cd4078903228714758131588a3f1165a916bfc66e1a82076558acd0
SHA512f27f5b3c9c23adaf50ff44e0b2af4dd121038ed4bd5ebc0b8d63094b4266a151edf94214ce85990d8e545f1f4b8b288539b7d8003979deb24629825f5b966183
-
memory/3364-0-0x0000000000130000-0x0000000000144000-memory.dmpFilesize
80KB
-
memory/3364-1-0x00007FFDAECC0000-0x00007FFDAF782000-memory.dmpFilesize
10.8MB
-
memory/3364-2-0x0000000002260000-0x0000000002270000-memory.dmpFilesize
64KB
-
memory/3364-26-0x00007FFDAECC0000-0x00007FFDAF782000-memory.dmpFilesize
10.8MB
-
memory/3364-27-0x0000000002260000-0x0000000002270000-memory.dmpFilesize
64KB