Overview
overview
10Static
static
10fr2nnk.exe
windows10-1703-x64
10fr2nnk.exe
windows7-x64
10fr2nnk.exe
windows10-2004-x64
10fr2nnk.exe
windows11-21h2-x64
10grab.exe
windows10-1703-x64
10grab.exe
windows7-x64
7grab.exe
windows10-2004-x64
8grab.exe
windows11-21h2-x64
8m2zen.exe
windows10-1703-x64
7m2zen.exe
windows7-x64
7m2zen.exe
windows10-2004-x64
7m2zen.exe
windows11-21h2-x64
7winhlp32.exe
windows10-1703-x64
10winhlp32.exe
windows7-x64
10winhlp32.exe
windows10-2004-x64
10winhlp32.exe
windows11-21h2-x64
10Analysis
-
max time kernel
28s -
max time network
31s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-05-2024 09:52
Behavioral task
behavioral1
Sample
fr2nnk.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
fr2nnk.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
fr2nnk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
fr2nnk.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
grab.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
grab.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
grab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
grab.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
m2zen.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
m2zen.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
m2zen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
m2zen.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
winhlp32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
winhlp32.exe
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
winhlp32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
winhlp32.exe
Resource
win11-20240419-en
General
-
Target
fr2nnk.exe
-
Size
32KB
-
MD5
8d8bb72d313438d850c0fd079314e867
-
SHA1
7c3adc8b21b1404e506af0ba332a84f50f502038
-
SHA256
17ed10cc2d0e8a27b3823d7fdbe56a8a126e6b89f104e217d6d569fdfd88a679
-
SHA512
ed08efba52b9dcbf132e02a174e3526bd343145801367570d8bceac1a156582d553019a6e0df25afbacf620fc0d9c7543f0b52696fefb658a6060cc6ceddac49
-
SSDEEP
768:P1Xm1TliVBx7XDH4tyIJ8phhFyr9UBOjhe2Qx8:P1XmplgXHEJoFY9UBOjTQx8
Malware Config
Extracted
xworm
3.0
else-movers.gl.at.ply.gg:28764
iXKagAiYnmlygFVn
-
Install_directory
%LocalAppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/3772-1-0x0000000000F70000-0x0000000000F7E000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
fr2nnk.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr2nnk.lnk fr2nnk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr2nnk.lnk fr2nnk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fr2nnk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\fr2nnk = "C:\\Users\\Admin\\AppData\\Local\\fr2nnk.exe" fr2nnk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fr2nnk.exedescription pid process Token: SeDebugPrivilege 3772 fr2nnk.exe Token: SeDebugPrivilege 3772 fr2nnk.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3772-0-0x00007FFA858C3000-0x00007FFA858C5000-memory.dmpFilesize
8KB
-
memory/3772-1-0x0000000000F70000-0x0000000000F7E000-memory.dmpFilesize
56KB
-
memory/3772-8-0x00007FFA858C0000-0x00007FFA86382000-memory.dmpFilesize
10.8MB
-
memory/3772-9-0x00007FFA858C0000-0x00007FFA86382000-memory.dmpFilesize
10.8MB