Overview

overview

10

Static

static

3

Krampus V1.0.5.exe

windows7-x64

10

Krampus V1.0.5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Krampus V1.0.5.exe

  • Size

    7.4MB

  • MD5

    6cfc075819c99a2c6515729392b9ba02

  • SHA1

    c6224ff71c43b6ae461d9ad870da5002a4e8bd5e

  • SHA256

    a98d837ed01480f717df0d2f47021b757b8093469134f321cbd1e1a4c6fb8f5c

  • SHA512

    7ee09e6c429f010a2e74170dcc0bc7c984fb436cbdf8eedba5c48eb8b82f68338aad9e5293b93438b191afd0d22277db0befb2f0c9d8392365bebeea209b53b6

  • SSDEEP

    98304:NSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H08Bi:gMt+dnIdHWxdKHoYOeXRihlWu8YgoP/

Score
10/10
xwormpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

yet-musicians.gl.at.ply.gg:27619

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    discord.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.5.exe
    "C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.bat'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Windows\System32\test.bat" "
      2⤵
        PID:2408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2424
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:2724
      • C:\Windows\System32\Built.exe
        "C:\Windows\System32\Built.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\System32\Built.exe
          "C:\Windows\System32\Built.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.exe'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1460
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "test" /SC ONLOGON /TR "C:\Windows\System32\test.exe" /RL HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:1260
      • C:\Windows\System32\test.exe
        "C:\Windows\System32\test.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'test.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2916
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\discord.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3000
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3032
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\discord.exe"
          3⤵
          • Creates scheduled task(s)
          PID:1992
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ggs.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_MEI28642\python311.dll
      Filesize

      1.6MB

      MD5

      b167b98fc5c89d65cb1fa8df31c5de13

      SHA1

      3a6597007f572ea09ed233d813462e80e14c5444

      SHA256

      28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

      SHA512

      40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      06e91f927591cd7a282bdbac8b7e0df0

      SHA1

      d7c818508895bfaf7f9a43374beb7f321490faf7

      SHA256

      36e4e98cc33ba6e1644a9b9e9a90032e33ef2fe1b29b3b37fbcc6b07f499024c

      SHA512

      202f5e4c35c30c0583abf59762396f51b8a3cb0a1fe13ccc5ad2ad32002585dfbcc7a793871ed28756b26c1a193df4767d40197aa7bf6fe45888d6535b31be99

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      9ea8d5818ee1374c1f9a75d914055b00

      SHA1

      7729ddb5aa9a886f3b059d187dcc597dc1d236c2

      SHA256

      93c933199ec20a0bb73081fd38e94d5197d9fbf06e98bd67fd16ccc4180fe576

      SHA512

      d6160ab51862fc298958ca887f639841fa6074c3ea61a6ca9af3a5a614875c5b4ae9c9e0bd0c98374874b5e857eb729959239cfd33a965897c2c399633c3fa8d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MFMQWI1SZ04VBL67NDC5.temp
      Filesize

      7KB

      MD5

      2c0d46959bf5e4086deff4a14cf8d083

      SHA1

      4cb0f8ec196dec5e08710af33af4373fd0f3785e

      SHA256

      21293a7c6f82e57782dbc9d5e3366b9e919eef2c99581c4180439b5a18dfe9b2

      SHA512

      c3632495d22b8e609b1aeabfb6575ac9a71cd69855d1e69768b8187956dae616541520f590cdeedeba9d2731e5ed585bc4bf5de7b9e04f29d0577cc99ba2587d

      Download Submit

    • C:\Windows\System32\test.bat
      Filesize

      435B

      MD5

      40f36b839af3aad8887e3cfe758efab8

      SHA1

      2d60ce25bf47ce4c4969cd73bd204491a3e2d18e

      SHA256

      c9650c17cca714b78e175479a9d9bcf2b6d01629d00418fc2f2b9167563ecb1d

      SHA512

      13ee91dde3b5c6920fc94df15e1d37f66f009a3b5d770fc747d7000a8c4d5091dddaf642b3f1edf01e3ac7f63b652576525401a801c6e4f7621860070f667f8c

      Download Submit

    • C:\Windows\System32\test.exe
      Filesize

      140KB

      MD5

      b2a4fa40f85cc8b5c66ff6bb6cc7b7ef

      SHA1

      57477ff6b2c5b45442a771e621db0688b15c72cf

      SHA256

      b8517dfc87a24a2364ec2f742af3d2c88ad216b0cd2acba632284fd10ce5bcdd

      SHA512

      323b2f2a03bcbc1788eb97af0f5d8824fb5c4caff7c5d5c1f00ee367965d4fe3fc62816a558ca5cb15baf2d6dba3200c72f757455488e7927e28ebe93e136a0e

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \Windows\System32\Built.exe
      Filesize

      7.4MB

      MD5

      7e312ac869e50b5847ff56eab59567d2

      SHA1

      3bcefc87de994260931ac94760e6b478696048be

      SHA256

      5a77b59bd2f5486fbb176fe7c7e8cc478419247c142e5ea7db8d14966bccb5af

      SHA512

      fb9a3658a636644d2df12c2ca1d6f399c84e571491a0dab888d798e5b9ccfb648e077cb90dfbffd5ad24f85441fafc1bb887b160263a2d53577c5db1adf892ee

      Download Submit

    • memory/1460-82-0x0000000001EE0000-0x0000000001F60000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1460-79-0x000007FEED950000-0x000007FEEE2ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1460-78-0x0000000001EE0000-0x0000000001F60000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1460-80-0x0000000001EE0000-0x0000000001F60000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1460-83-0x000007FEED950000-0x000007FEEE2ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1460-84-0x0000000001EE0000-0x0000000001F60000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1460-85-0x000007FEED950000-0x000007FEEE2ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1520-77-0x000007FEEE2F0000-0x000007FEEE8E0000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1940-187-0x00000000001F0000-0x00000000001F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2032-92-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2032-94-0x0000000001090000-0x00000000010B8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2032-119-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2032-177-0x000000001AE60000-0x000000001AEE0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2032-95-0x000000001AE60000-0x000000001AEE0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2220-106-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-108-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-107-0x0000000002D10000-0x0000000002D90000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2220-104-0x0000000002D10000-0x0000000002D90000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2220-103-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-105-0x0000000002D10000-0x0000000002D90000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2424-34-0x0000000002BB0000-0x0000000002BB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2424-32-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2424-38-0x00000000027C0000-0x0000000002840000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2424-39-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2424-37-0x00000000027C0000-0x0000000002840000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2424-36-0x00000000027C0000-0x0000000002840000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2424-33-0x00000000027C0000-0x0000000002840000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2424-35-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2424-31-0x000000001B560000-0x000000001B842000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2492-93-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2492-1-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2492-2-0x000000001C1C0000-0x000000001C240000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2492-81-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2492-0-0x0000000000330000-0x0000000000A96000-memory.dmp

      Filesize

      7.4MB

      Download

    • memory/2632-12-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2632-13-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2632-11-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2632-8-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2632-10-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2632-9-0x0000000002BB0000-0x0000000002BB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2632-14-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2632-15-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2632-7-0x000000001B410000-0x000000001B6F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2916-114-0x0000000002890000-0x0000000002898000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2916-116-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2916-118-0x0000000002940000-0x00000000029C0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2916-120-0x0000000002940000-0x00000000029C0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2916-121-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2916-115-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2916-117-0x0000000002940000-0x00000000029C0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3000-132-0x0000000002CA0000-0x0000000002D20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3000-130-0x0000000002CA0000-0x0000000002D20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3000-129-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3000-131-0x0000000002CA0000-0x0000000002D20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3000-133-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3000-127-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3000-128-0x0000000002CA0000-0x0000000002D20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3032-139-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3032-140-0x0000000001E80000-0x0000000001F00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3032-142-0x0000000001E80000-0x0000000001F00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3032-141-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3032-143-0x0000000001E80000-0x0000000001F00000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3032-144-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

      Filesize

      9.6MB

      Download