Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 05:59
Behavioral task
behavioral1
Sample
1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
Resource
win7-20240221-en
General
-
Target
1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
-
Size
32KB
-
MD5
5703edb174766786773f4b565b3ccf85
-
SHA1
c4e1aa7bf7d5bd0f6c19e8c00d2b32cca143ac19
-
SHA256
6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5
-
SHA512
d1c798c43abd58163fb059c56fc5084bc3826c842076bee7b432887b8aec421a685efe7b491c5afce7bc06765565eecc75c52b6901a34d4950c31d965874a2cd
-
SSDEEP
384:aEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFO3xdRApkFTBLTsOZwpGd2v99Ikuis/:TVa+vNtg+PB93Tw46xdVFE9jyOjhvb/
Malware Config
Extracted
xworm
5.0
91.92.242.85:3344
JxfYmBE6u9bELdp4
-
install_file
USB.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/368-4-0x000000001B950000-0x000000001B95E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/368-0-0x00000000000A0000-0x00000000000AE000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/368-3-0x000000001CA10000-0x000000001CB30000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exepid process 368 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exedescription pid process Token: SeDebugPrivilege 368 1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe"C:\Users\Admin\AppData\Local\Temp\1714456685abe8dacd9647979ca6f07fce954d21483995c56b392e9993fc4dbb806aaf5610733.dat-decoded.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hi55yuc4.vei.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/368-0-0x00000000000A0000-0x00000000000AE000-memory.dmpFilesize
56KB
-
memory/368-1-0x00007FFE05150000-0x00007FFE05C11000-memory.dmpFilesize
10.8MB
-
memory/368-2-0x000000001AD50000-0x000000001AD60000-memory.dmpFilesize
64KB
-
memory/368-3-0x000000001CA10000-0x000000001CB30000-memory.dmpFilesize
1.1MB
-
memory/368-4-0x000000001B950000-0x000000001B95E000-memory.dmpFilesize
56KB
-
memory/368-14-0x000000001D600000-0x000000001D622000-memory.dmpFilesize
136KB
-
memory/368-53-0x00007FFE05150000-0x00007FFE05C11000-memory.dmpFilesize
10.8MB
-
memory/368-54-0x000000001AD50000-0x000000001AD60000-memory.dmpFilesize
64KB