Analysis
-
max time kernel
121s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 01:36
Behavioral task
behavioral1
Sample
6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe
Resource
win7-20240221-en
General
-
Target
6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe
-
Size
32KB
-
MD5
5703edb174766786773f4b565b3ccf85
-
SHA1
c4e1aa7bf7d5bd0f6c19e8c00d2b32cca143ac19
-
SHA256
6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5
-
SHA512
d1c798c43abd58163fb059c56fc5084bc3826c842076bee7b432887b8aec421a685efe7b491c5afce7bc06765565eecc75c52b6901a34d4950c31d965874a2cd
-
SSDEEP
384:aEbmX5Qa+vN1h1+X3v6JFjL+g93Tm2eaFO3xdRApkFTBLTsOZwpGd2v99Ikuis/:TVa+vNtg+PB93Tw46xdVFE9jyOjhvb/
Malware Config
Extracted
xworm
5.0
91.92.242.85:3344
JxfYmBE6u9bELdp4
-
install_file
USB.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/2728-3-0x0000000000D10000-0x0000000000D1E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-0-0x0000000000D30000-0x0000000000D3E000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-4-0x000000001C130000-0x000000001C250000-memory.dmp family_stormkitty -
Detects Windows executables referencing non-Windows User-Agents 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-0-0x0000000000D30000-0x0000000000D3E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-3-0x0000000000D10000-0x0000000000D1E000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-3-0x0000000000D10000-0x0000000000D1E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-4-0x000000001C130000-0x000000001C250000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing credit card regular expressions 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2728-4-0x000000001C130000-0x000000001C250000-memory.dmp INDICATOR_SUSPICIOUS_EXE_CC_Regex -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exedescription pid process Token: SeDebugPrivilege 2728 6f5e4c2f1acbaa248f7501e931462d3da75e6deba050065538153bfe14a6bdb5.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2728-0-0x0000000000D30000-0x0000000000D3E000-memory.dmpFilesize
56KB
-
memory/2728-1-0x000007FEF5C20000-0x000007FEF660C000-memory.dmpFilesize
9.9MB
-
memory/2728-2-0x000000001AD60000-0x000000001ADE0000-memory.dmpFilesize
512KB
-
memory/2728-3-0x0000000000D10000-0x0000000000D1E000-memory.dmpFilesize
56KB
-
memory/2728-4-0x000000001C130000-0x000000001C250000-memory.dmpFilesize
1.1MB
-
memory/2728-28-0x000007FEF5C20000-0x000007FEF660C000-memory.dmpFilesize
9.9MB
-
memory/2728-29-0x000000001AD60000-0x000000001ADE0000-memory.dmpFilesize
512KB