Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 11:22
Behavioral task
behavioral1
Sample
vamicheatloader.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
vamicheatloader.exe
Resource
win10v2004-20240508-en
General
-
Target
vamicheatloader.exe
-
Size
77KB
-
MD5
b074da06d9857ac5261d62b2446774a4
-
SHA1
7137511fab7f416097aafba40cb0b6becf6c9d6e
-
SHA256
d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58
-
SHA512
04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367
-
SSDEEP
1536:+dWwWpRvrlUSvelsuFXvnd4hbAbYUU0XXS06YTUgOrEKvN:I2TSSmnZvGAbD5iST/Or9N
Malware Config
Extracted
xworm
rooms-belkin.gl.at.ply.gg:48066
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2200-1-0x0000000000210000-0x000000000022A000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm behavioral1/memory/2420-36-0x0000000000B60000-0x0000000000B7A000-memory.dmp family_xworm behavioral1/memory/300-39-0x0000000000BF0000-0x0000000000C0A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2548 powershell.exe 2616 powershell.exe 2484 powershell.exe 1984 powershell.exe -
Drops startup file 2 IoCs
Processes:
vamicheatloader.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk vamicheatloader.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk vamicheatloader.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2420 svchost.exe 300 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vamicheatloader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" vamicheatloader.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exevamicheatloader.exepid process 2548 powershell.exe 2616 powershell.exe 2484 powershell.exe 1984 powershell.exe 2200 vamicheatloader.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
vamicheatloader.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2200 vamicheatloader.exe Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 2200 vamicheatloader.exe Token: SeDebugPrivilege 2420 svchost.exe Token: SeDebugPrivilege 300 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vamicheatloader.exepid process 2200 vamicheatloader.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
vamicheatloader.exetaskeng.exedescription pid process target process PID 2200 wrote to memory of 2548 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2548 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2548 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2616 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2616 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2616 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2484 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2484 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2484 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 1984 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 1984 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 1984 2200 vamicheatloader.exe powershell.exe PID 2200 wrote to memory of 2908 2200 vamicheatloader.exe schtasks.exe PID 2200 wrote to memory of 2908 2200 vamicheatloader.exe schtasks.exe PID 2200 wrote to memory of 2908 2200 vamicheatloader.exe schtasks.exe PID 2536 wrote to memory of 2420 2536 taskeng.exe svchost.exe PID 2536 wrote to memory of 2420 2536 taskeng.exe svchost.exe PID 2536 wrote to memory of 2420 2536 taskeng.exe svchost.exe PID 2536 wrote to memory of 300 2536 taskeng.exe svchost.exe PID 2536 wrote to memory of 300 2536 taskeng.exe svchost.exe PID 2536 wrote to memory of 300 2536 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vamicheatloader.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {60F66EC7-4F35-49AE-8F88-791DE6A0BAF6} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD56c742ce41787ef332297e9ed19c8c7c8
SHA1638384a777cf7f8b72384c94becfd1aacc087f76
SHA25654aa1f5167c7aacabf10a0ca78d6428280bd7208091a48a804619a1407970fdf
SHA512b13b2ae5ff74b2bca750a6dde2c0c54242b21b4aa2f085a3610ce2045adec89baadc9685c8b9d7a512ce425d1bc34190e83ebe784947f157912eaea167e0b623
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
77KB
MD5b074da06d9857ac5261d62b2446774a4
SHA17137511fab7f416097aafba40cb0b6becf6c9d6e
SHA256d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58
SHA51204faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367
-
memory/300-39-0x0000000000BF0000-0x0000000000C0A000-memory.dmpFilesize
104KB
-
memory/2200-31-0x000007FEF5D73000-0x000007FEF5D74000-memory.dmpFilesize
4KB
-
memory/2200-0-0x000007FEF5D73000-0x000007FEF5D74000-memory.dmpFilesize
4KB
-
memory/2200-32-0x000007FEF5D70000-0x000007FEF675C000-memory.dmpFilesize
9.9MB
-
memory/2200-2-0x000007FEF5D70000-0x000007FEF675C000-memory.dmpFilesize
9.9MB
-
memory/2200-1-0x0000000000210000-0x000000000022A000-memory.dmpFilesize
104KB
-
memory/2420-36-0x0000000000B60000-0x0000000000B7A000-memory.dmpFilesize
104KB
-
memory/2548-8-0x000000001B6C0000-0x000000001B9A2000-memory.dmpFilesize
2.9MB
-
memory/2548-9-0x0000000001EF0000-0x0000000001EF8000-memory.dmpFilesize
32KB
-
memory/2548-7-0x00000000029D0000-0x0000000002A50000-memory.dmpFilesize
512KB
-
memory/2616-15-0x000000001B560000-0x000000001B842000-memory.dmpFilesize
2.9MB
-
memory/2616-16-0x0000000002310000-0x0000000002318000-memory.dmpFilesize
32KB