Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 00:38
Behavioral task
behavioral1
Sample
System.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
System.exe
Resource
win10v2004-20240419-en
General
-
Target
System.exe
-
Size
76KB
-
MD5
926f40028aab7e451391a2f0a1f19878
-
SHA1
3154d7a394ab28b112813e1e2da05571d5f73610
-
SHA256
c9616db331e3194dce2010d0ee4be7525b83e5761dad9af507035e9a3ef89a8e
-
SHA512
ed7ef5b89abfe6dfe68e7c365ae4a5925a57e3a470f64714a6614f1ca80746e70ef73bbb2fef56d8ee3123c4066acc5678c7dc629995f42178a65d53cf3ac18f
-
SSDEEP
1536:eryUJOfxZ+3NZuLtK4q5KKI+bsjI3Bb9J6rJMtOGGL8LnV:Qyk9YxaXI+bsUgSOGGL8bV
Malware Config
Extracted
xworm
127.0.0.1:51984
distribution-devoted.gl.at.ply.gg:51984
-
Install_directory
%Public%
-
install_file
System.exe
Extracted
umbral
https://discord.com/api/webhooks/1234290044433465374/GpPW-XGmfNZwg5e2f01EG2PFFPvogLtW7nThGaKgRHlCFk37428m1sT_iMF8jegOqr27
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000f00000000f680-43.dat family_umbral behavioral1/memory/1816-44-0x0000000000D00000-0x0000000000D40000-memory.dmp family_umbral -
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/memory/1612-0-0x00000000000E0000-0x00000000000FA000-memory.dmp family_xworm behavioral1/files/0x000b0000000143d1-32.dat family_xworm behavioral1/memory/1740-34-0x0000000001190000-0x00000000011AA000-memory.dmp family_xworm behavioral1/memory/2396-49-0x0000000000080000-0x000000000009A000-memory.dmp family_xworm -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk System.exe -
Executes dropped EXE 4 IoCs
pid Process 1740 System.exe 1816 bpynak.exe 3036 System.exe 2396 System.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Public\\System.exe" System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2112 powershell.exe 2652 powershell.exe 2584 powershell.exe 2536 powershell.exe 1612 System.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 1612 System.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 1612 System.exe Token: SeDebugPrivilege 1740 System.exe Token: SeDebugPrivilege 1816 bpynak.exe Token: SeIncreaseQuotaPrivilege 3024 wmic.exe Token: SeSecurityPrivilege 3024 wmic.exe Token: SeTakeOwnershipPrivilege 3024 wmic.exe Token: SeLoadDriverPrivilege 3024 wmic.exe Token: SeSystemProfilePrivilege 3024 wmic.exe Token: SeSystemtimePrivilege 3024 wmic.exe Token: SeProfSingleProcessPrivilege 3024 wmic.exe Token: SeIncBasePriorityPrivilege 3024 wmic.exe Token: SeCreatePagefilePrivilege 3024 wmic.exe Token: SeBackupPrivilege 3024 wmic.exe Token: SeRestorePrivilege 3024 wmic.exe Token: SeShutdownPrivilege 3024 wmic.exe Token: SeDebugPrivilege 3024 wmic.exe Token: SeSystemEnvironmentPrivilege 3024 wmic.exe Token: SeRemoteShutdownPrivilege 3024 wmic.exe Token: SeUndockPrivilege 3024 wmic.exe Token: SeManageVolumePrivilege 3024 wmic.exe Token: 33 3024 wmic.exe Token: 34 3024 wmic.exe Token: 35 3024 wmic.exe Token: SeIncreaseQuotaPrivilege 3024 wmic.exe Token: SeSecurityPrivilege 3024 wmic.exe Token: SeTakeOwnershipPrivilege 3024 wmic.exe Token: SeLoadDriverPrivilege 3024 wmic.exe Token: SeSystemProfilePrivilege 3024 wmic.exe Token: SeSystemtimePrivilege 3024 wmic.exe Token: SeProfSingleProcessPrivilege 3024 wmic.exe Token: SeIncBasePriorityPrivilege 3024 wmic.exe Token: SeCreatePagefilePrivilege 3024 wmic.exe Token: SeBackupPrivilege 3024 wmic.exe Token: SeRestorePrivilege 3024 wmic.exe Token: SeShutdownPrivilege 3024 wmic.exe Token: SeDebugPrivilege 3024 wmic.exe Token: SeSystemEnvironmentPrivilege 3024 wmic.exe Token: SeRemoteShutdownPrivilege 3024 wmic.exe Token: SeUndockPrivilege 3024 wmic.exe Token: SeManageVolumePrivilege 3024 wmic.exe Token: 33 3024 wmic.exe Token: 34 3024 wmic.exe Token: 35 3024 wmic.exe Token: SeDebugPrivilege 3036 System.exe Token: SeDebugPrivilege 2396 System.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1612 System.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2112 1612 System.exe 28 PID 1612 wrote to memory of 2112 1612 System.exe 28 PID 1612 wrote to memory of 2112 1612 System.exe 28 PID 1612 wrote to memory of 2652 1612 System.exe 30 PID 1612 wrote to memory of 2652 1612 System.exe 30 PID 1612 wrote to memory of 2652 1612 System.exe 30 PID 1612 wrote to memory of 2584 1612 System.exe 32 PID 1612 wrote to memory of 2584 1612 System.exe 32 PID 1612 wrote to memory of 2584 1612 System.exe 32 PID 1612 wrote to memory of 2536 1612 System.exe 34 PID 1612 wrote to memory of 2536 1612 System.exe 34 PID 1612 wrote to memory of 2536 1612 System.exe 34 PID 1612 wrote to memory of 3048 1612 System.exe 36 PID 1612 wrote to memory of 3048 1612 System.exe 36 PID 1612 wrote to memory of 3048 1612 System.exe 36 PID 1628 wrote to memory of 1740 1628 taskeng.exe 39 PID 1628 wrote to memory of 1740 1628 taskeng.exe 39 PID 1628 wrote to memory of 1740 1628 taskeng.exe 39 PID 1612 wrote to memory of 1816 1612 System.exe 43 PID 1612 wrote to memory of 1816 1612 System.exe 43 PID 1612 wrote to memory of 1816 1612 System.exe 43 PID 1816 wrote to memory of 3024 1816 bpynak.exe 44 PID 1816 wrote to memory of 3024 1816 bpynak.exe 44 PID 1816 wrote to memory of 3024 1816 bpynak.exe 44 PID 1628 wrote to memory of 3036 1628 taskeng.exe 46 PID 1628 wrote to memory of 3036 1628 taskeng.exe 46 PID 1628 wrote to memory of 3036 1628 taskeng.exe 46 PID 1628 wrote to memory of 2396 1628 taskeng.exe 47 PID 1628 wrote to memory of 2396 1628 taskeng.exe 47 PID 1628 wrote to memory of 2396 1628 taskeng.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Public\System.exe"2⤵
- Creates scheduled task(s)
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\bpynak.exe"C:\Users\Admin\AppData\Local\Temp\bpynak.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6D6784B2-F2D5-4810-9985-F5D00FC1055E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Public\System.exeC:\Users\Public\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
C:\Users\Public\System.exeC:\Users\Public\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Users\Public\System.exeC:\Users\Public\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD545577e6ae7385f0c27f02bbad18ad9c8
SHA1e824b1a48f6c2b0618e42aeae2d3bc5283512450
SHA25644a57459b4a74d887e177f5155cd19fcbaf948685f079022888aad127ed849dd
SHA512c73d1e4190bf0e23d92cfb672cabe21329a11497a5995b106e2694ce6df83987d0b300d1afa35f24fedc5e478c07b13ae898671e1c69de5e74c1b5b138d663ed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD581bc942f69dc51742f4b0bc1b9ef1af7
SHA1262842aaec1e1daaecf8179ecc9f4c0f4417e188
SHA2563ce723798f8d3f390b9fa803c6e68cbe12da3d83b1f072da38b60268ec83b96d
SHA512f865f2753e8fa5a0f749197fd6359c58f1ec873bea7dd70fc6f402cdb4304d0f1a755d651ac77eed7cc0a3a79a2b452d3daf43aba0625000ed91a3ceb8b60c92
-
Filesize
76KB
MD5926f40028aab7e451391a2f0a1f19878
SHA13154d7a394ab28b112813e1e2da05571d5f73610
SHA256c9616db331e3194dce2010d0ee4be7525b83e5761dad9af507035e9a3ef89a8e
SHA512ed7ef5b89abfe6dfe68e7c365ae4a5925a57e3a470f64714a6614f1ca80746e70ef73bbb2fef56d8ee3123c4066acc5678c7dc629995f42178a65d53cf3ac18f