Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 00:38

General

  • Target

    System.exe

  • Size

    76KB

  • MD5

    926f40028aab7e451391a2f0a1f19878

  • SHA1

    3154d7a394ab28b112813e1e2da05571d5f73610

  • SHA256

    c9616db331e3194dce2010d0ee4be7525b83e5761dad9af507035e9a3ef89a8e

  • SHA512

    ed7ef5b89abfe6dfe68e7c365ae4a5925a57e3a470f64714a6614f1ca80746e70ef73bbb2fef56d8ee3123c4066acc5678c7dc629995f42178a65d53cf3ac18f

  • SSDEEP

    1536:eryUJOfxZ+3NZuLtK4q5KKI+bsjI3Bb9J6rJMtOGGL8LnV:Qyk9YxaXI+bsUgSOGGL8bV

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:51984

distribution-devoted.gl.at.ply.gg:51984

Attributes
  • Install_directory

    %Public%

  • install_file

    System.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1234290044433465374/GpPW-XGmfNZwg5e2f01EG2PFFPvogLtW7nThGaKgRHlCFk37428m1sT_iMF8jegOqr27

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 4 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Public\System.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3048
    • C:\Users\Admin\AppData\Local\Temp\bpynak.exe
      "C:\Users\Admin\AppData\Local\Temp\bpynak.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {6D6784B2-F2D5-4810-9985-F5D00FC1055E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Public\System.exe
      C:\Users\Public\System.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
    • C:\Users\Public\System.exe
      C:\Users\Public\System.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Users\Public\System.exe
      C:\Users\Public\System.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bpynak.exe

    Filesize

    230KB

    MD5

    45577e6ae7385f0c27f02bbad18ad9c8

    SHA1

    e824b1a48f6c2b0618e42aeae2d3bc5283512450

    SHA256

    44a57459b4a74d887e177f5155cd19fcbaf948685f079022888aad127ed849dd

    SHA512

    c73d1e4190bf0e23d92cfb672cabe21329a11497a5995b106e2694ce6df83987d0b300d1afa35f24fedc5e478c07b13ae898671e1c69de5e74c1b5b138d663ed

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    81bc942f69dc51742f4b0bc1b9ef1af7

    SHA1

    262842aaec1e1daaecf8179ecc9f4c0f4417e188

    SHA256

    3ce723798f8d3f390b9fa803c6e68cbe12da3d83b1f072da38b60268ec83b96d

    SHA512

    f865f2753e8fa5a0f749197fd6359c58f1ec873bea7dd70fc6f402cdb4304d0f1a755d651ac77eed7cc0a3a79a2b452d3daf43aba0625000ed91a3ceb8b60c92

  • C:\Users\Public\System.exe

    Filesize

    76KB

    MD5

    926f40028aab7e451391a2f0a1f19878

    SHA1

    3154d7a394ab28b112813e1e2da05571d5f73610

    SHA256

    c9616db331e3194dce2010d0ee4be7525b83e5761dad9af507035e9a3ef89a8e

    SHA512

    ed7ef5b89abfe6dfe68e7c365ae4a5925a57e3a470f64714a6614f1ca80746e70ef73bbb2fef56d8ee3123c4066acc5678c7dc629995f42178a65d53cf3ac18f

  • memory/1612-36-0x0000000000790000-0x000000000079C000-memory.dmp

    Filesize

    48KB

  • memory/1612-35-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/1612-47-0x0000000002200000-0x000000000220E000-memory.dmp

    Filesize

    56KB

  • memory/1612-46-0x000000001B280000-0x000000001B330000-memory.dmp

    Filesize

    704KB

  • memory/1612-1-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/1612-30-0x000000001B390000-0x000000001B410000-memory.dmp

    Filesize

    512KB

  • memory/1612-37-0x000000001B390000-0x000000001B410000-memory.dmp

    Filesize

    512KB

  • memory/1612-0-0x00000000000E0000-0x00000000000FA000-memory.dmp

    Filesize

    104KB

  • memory/1740-34-0x0000000001190000-0x00000000011AA000-memory.dmp

    Filesize

    104KB

  • memory/1816-44-0x0000000000D00000-0x0000000000D40000-memory.dmp

    Filesize

    256KB

  • memory/2112-8-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

    Filesize

    32KB

  • memory/2112-6-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

  • memory/2112-7-0x000000001B320000-0x000000001B602000-memory.dmp

    Filesize

    2.9MB

  • memory/2396-49-0x0000000000080000-0x000000000009A000-memory.dmp

    Filesize

    104KB

  • memory/2652-15-0x0000000002670000-0x0000000002678000-memory.dmp

    Filesize

    32KB

  • memory/2652-14-0x000000001B290000-0x000000001B572000-memory.dmp

    Filesize

    2.9MB