Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 12:03

General

  • Target

    SUITLOCK.exe

  • Size

    5.1MB

  • MD5

    6f9ba18a04ebf182900a0f4b94b3537d

  • SHA1

    15634a3aa0a59e8154ad1ffdb5eeb8387055f213

  • SHA256

    443da78d2f9696220afbc3d4705228f75d268bc6079162b2b020ec94f140a0b1

  • SHA512

    6bead3d7421afef0e1e8b060c10db34eec908c863f57264c25d6cbabbd5b9b118418cc34fef3f366927f97def4782c8499780e5c008a62b9f2fbcd9af8adb8de

  • SSDEEP

    98304:NNadRPPlP93efT/RehdEyiFr9/LSsTxy/rSbIixFid6fa:NaPPlPYf10i9TSsFyTSbIcFg6

Malware Config

Extracted

Family

xworm

Version

5.0

C2

156.225.129.219:7000

Mutex

LOfxNhTNVvGzuUp6

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe
    "C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\UNLOCK.exe
      "C:\Users\Admin\UNLOCK.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c mode 70,10
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\system32\mode.com
          mode 70,10
          4⤵
            PID:2548
      • C:\Users\Admin\newupdate.exe
        "C:\Users\Admin\newupdate.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\newupdate.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1476
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'newupdate.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:800
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\csrss'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1084
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      4657cd82bd0f822cd811c7c23ec8e26a

      SHA1

      d0ee35697435e9d52d13a58955ad7feebec626ff

      SHA256

      fb83607fda323bfbd6e7977183ef23ddafa8d6fa0823b4cb63b997354e70cff6

      SHA512

      ba3360419f3f77508910e67e107b6ecba4658cd4a4c860e6df696b432bc8bd0ecdf12f5b9158884a69bf24e717e69c6794ad1ddd18d41a407b11ed0996a2ee7d

    • C:\Users\Admin\newupdate.exe

      Filesize

      40KB

      MD5

      6663d561874fb21e3bd67c9e68f09ac0

      SHA1

      9f8ad93ba4e60844250d624e25a8d421281c6d94

      SHA256

      a8cfdcf2308be48989bc7993ceb61e0ecb7930f8a154b2e5d2c78f2f5a5c3802

      SHA512

      8ff50e5aa96e6600663b8e0935548c8cd1477b0c483c2f7ba0f8808ad6a21c48eb7655c87daeda6695d4ea4cc0db26161e1367eb712f67fb199c26bc5fcc3c6f

    • \Users\Admin\UNLOCK.exe

      Filesize

      5.0MB

      MD5

      36c166ba7ab01d11bc9eecfd87af3d63

      SHA1

      2872c0d4200037adfdbd2129b65a3cae51547f09

      SHA256

      b3d90d187c2b7f8068a447d296410dd279a3f39330dc5c57e1038ba6421bc548

      SHA512

      694260d62d61ca29b7393dbc059bfd01769cb6475eddd045dd309abaa07388e1e73ca2bceab855adca8f73157a5c4dfdbd25435bf6d62778285e7ed62508c191

    • memory/800-43-0x0000000000560000-0x0000000000568000-memory.dmp

      Filesize

      32KB

    • memory/800-42-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

      Filesize

      2.9MB

    • memory/1476-35-0x000000001B700000-0x000000001B9E2000-memory.dmp

      Filesize

      2.9MB

    • memory/1476-36-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

      Filesize

      32KB

    • memory/1876-1-0x0000000001020000-0x000000000153E000-memory.dmp

      Filesize

      5.1MB

    • memory/1876-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

      Filesize

      4KB

    • memory/2556-15-0x0000000140080000-0x00000001403B0000-memory.dmp

      Filesize

      3.2MB

    • memory/2556-60-0x0000000140080000-0x00000001403B0000-memory.dmp

      Filesize

      3.2MB

    • memory/2556-23-0x0000000077760000-0x0000000077762000-memory.dmp

      Filesize

      8KB

    • memory/2556-26-0x0000000140000000-0x00000001408BC000-memory.dmp

      Filesize

      8.7MB

    • memory/2556-25-0x0000000077760000-0x0000000077762000-memory.dmp

      Filesize

      8KB

    • memory/2556-21-0x0000000077760000-0x0000000077762000-memory.dmp

      Filesize

      8KB

    • memory/2556-18-0x0000000077750000-0x0000000077752000-memory.dmp

      Filesize

      8KB

    • memory/2556-20-0x0000000077750000-0x0000000077752000-memory.dmp

      Filesize

      8KB

    • memory/2556-16-0x0000000077750000-0x0000000077752000-memory.dmp

      Filesize

      8KB

    • memory/2628-30-0x000000001B0F0000-0x000000001B170000-memory.dmp

      Filesize

      512KB

    • memory/2628-12-0x0000000000840000-0x0000000000850000-memory.dmp

      Filesize

      64KB

    • memory/2628-59-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

      Filesize

      9.9MB

    • memory/2628-14-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

      Filesize

      9.9MB

    • memory/2628-61-0x000000001B0F0000-0x000000001B170000-memory.dmp

      Filesize

      512KB