Analysis
-
max time kernel
4s -
max time network
5s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
Output.exe
Resource
win7-20240220-en
General
-
Target
Output.exe
-
Size
98KB
-
MD5
d7557a4322101418a54b3ba0d973bdb1
-
SHA1
57ae796673ce3d7d32dc4490f5e331c643aa8228
-
SHA256
8f26c490abbe3b76d42635347d83ffa6387888021d4909fcfd63e3dcc25540d2
-
SHA512
d2118512333b3e72eb1fad020082468b6d67689e104fcb4a0bb455c4870b429eff119987ca87d697398572e022a38949f5d3b75c3fd4c6106057d84ff786d773
-
SSDEEP
1536:ijXg7n3OaMrKTV82jTj5I6Ws5SZYSx8fWL5uWQaIK0naap+/l8NXftTOqg:ijw7n+NKTZFPkZvT5uCIak+/l8lfE
Malware Config
Extracted
xworm
million-houston.gl.at.ply.gg:27705
-
Install_directory
%AppData%
-
install_file
BloxstrapModded.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral1/memory/2080-8-0x0000000000180000-0x000000000019A000-memory.dmp family_xworm -
Executes dropped EXE 1 IoCs
Processes:
XClient.exepid process 2080 XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2660 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClient.exedescription pid process Token: SeDebugPrivilege 2080 XClient.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Output.exedescription pid process target process PID 2468 wrote to memory of 2080 2468 Output.exe XClient.exe PID 2468 wrote to memory of 2080 2468 Output.exe XClient.exe PID 2468 wrote to memory of 2080 2468 Output.exe XClient.exe PID 2468 wrote to memory of 2660 2468 Output.exe NOTEPAD.EXE PID 2468 wrote to memory of 2660 2468 Output.exe NOTEPAD.EXE PID 2468 wrote to memory of 2660 2468 Output.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Output.exe"C:\Users\Admin\AppData\Local\Temp\Output.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\README.txtFilesize
438B
MD5659061a5689cae197b49f62be53bcf40
SHA16467f2252645e7ce87932aad37e24a6eed3fefeb
SHA2560ca739b146beb166072cb199c8090f98140b88c5a7c251cf4ed730487507936c
SHA512f5933100e6ce6a030cb7ee36213308cfa4b05859b903564c4d711e60433079dd8182922ea45f25ec8b8defca90c5aa56a94bce031e5aa0e35e11ae19fb858567
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
80KB
MD5cfeb71480542c9b6d6aec88f02e6d820
SHA14fcf90f5f8e16dcee2fa5ee1611394533f7ff740
SHA256ebabe3ead25f28d4fe0a3ab1a592d7160065995da465ec549ebe8f27ba5eeee9
SHA512e5d1a95fe948e295f0f7cc55f88464136e088b0c7f531a132eab76025885f2de93d101981fc3dedc4bd7ed271b58578bcab235fc9d2bedca6e209fb3f7d594bd
-
memory/2080-8-0x0000000000180000-0x000000000019A000-memory.dmpFilesize
104KB
-
memory/2080-9-0x000007FEF5890000-0x000007FEF627C000-memory.dmpFilesize
9.9MB
-
memory/2080-12-0x000000001B400000-0x000000001B480000-memory.dmpFilesize
512KB
-
memory/2468-0-0x0000000000B60000-0x0000000000B7E000-memory.dmpFilesize
120KB
-
memory/2468-1-0x000007FEF5890000-0x000007FEF627C000-memory.dmpFilesize
9.9MB
-
memory/2468-11-0x000007FEF5890000-0x000007FEF627C000-memory.dmpFilesize
9.9MB