Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    57KB

  • MD5

    8017a1bc98f4fdb536bef45a99951805

  • SHA1

    d0896c713baa2873bda66c77469763c95dad7248

  • SHA256

    f4deeaeaf6a4173c46ef5df50139cd54d144dc0cc0d685b2717c1590cc8b1b1b

  • SHA512

    4a931e8ed6a3d5e547c4925b026d46be660f33b5c427721032df2ca5ad380b3e1abf215355fef911bc148784d4acf71c2e8ac4b729e6c4700cf8a2325a3b2152

  • SSDEEP

    1536:mMA5VMU4wbWW8C5BkbvGoB264yLV6gQOXQz:mMA5VCwbWHkBkbv9gA0gQOXK

Score
10/10
stealeriumxwormexecutionratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

publisher-misc.gl.at.ply.gg:58207:58207

publisher-misc.gl.at.ply.gg:58207
Attributes
  • Install_directory

    %Temp%

  • install_file

    RuntimeBroker.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\file.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2524
    • C:\Users\Admin\AppData\Local\Temp\lktjyt.exe
      "C:\Users\Admin\AppData\Local\Temp\lktjyt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5E84.tmp.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1500
          • C:\Windows\SysWOW64\taskkill.exe
            TaskKill /F /IM 1588
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:628
          • C:\Windows\SysWOW64\timeout.exe
            Timeout /T 2 /Nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:1992

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\lktjyt.exe
      Filesize

      1.6MB

      MD5

      6627adf7167ee571e8fd6c8b1a0e8ae3

      SHA1

      03b9112660ee73c59d84e219f15bf24ae9df48db

      SHA256

      6c5935bcddaa1d4f809487f66db758e892cc0a7fd7704d138904bc879644ea1f

      SHA512

      e05896a6e0d09d4dafeb2467395ca06ae1e728a4aa079041dea82940caeb71646984604fdeea482748423b10257b8462db4f573682f9f719939143fdb5691c60

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp5E84.tmp.bat
      Filesize

      57B

      MD5

      11184bca4ce016b9e00b3ead32c9b16b

      SHA1

      406adb50b7e2fbf0661a01219adede3680d12aaa

      SHA256

      dba695fd11bd2141aaec8516df5de78b9fd8b62506fba0154af38f68681c36f0

      SHA512

      4435aced15e4d51f423e23e7919b13bc39188f48f74ce12e87ea1a7b4dfff12ff3efb832e1d02115548c221553d0a36f0e4b3a14fe71ca2232ca04c16edf0e31

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      609d7a90c687e69f4bdfbd0b3b4fb590

      SHA1

      a39ba8f17c8116eac74bc5b83434a249df3eff83

      SHA256

      4713ff7ea6fa9968b3664a42758955b59913e4b92b7dde98ce1d06a1ce7bb002

      SHA512

      3cfbee6d27527c5998c391f250d6d149643072815e01854c79b0e84e4b6edb32321a8ecb2b88e4b964c9471535141ee310b946b160cf769905b999a239b63883

      Download Submit
    • memory/1588-37-0x00000000011C0000-0x0000000001352000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2364-39-0x000000001D370000-0x000000001D6C0000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2364-30-0x000000001B1D0000-0x000000001B250000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2364-38-0x0000000000890000-0x000000000089E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2364-0-0x000007FEF4CA3000-0x000007FEF4CA4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2364-40-0x000007FEF4CA3000-0x000007FEF4CA4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2364-1-0x0000000000F20000-0x0000000000F34000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2364-43-0x000000001B1D0000-0x000000001B250000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2744-14-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2744-15-0x0000000001D80000-0x0000000001D88000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2920-8-0x0000000001E10000-0x0000000001E18000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2920-7-0x000000001B8E0000-0x000000001BBC2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2920-6-0x00000000029F0000-0x0000000002A70000-memory.dmp
      Filesize

      512KB

      Download