Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 12:03
Static task
static1
Behavioral task
behavioral1
Sample
SUITLOCK.exe
Resource
win7-20240215-en
General
-
Target
SUITLOCK.exe
-
Size
5.1MB
-
MD5
6f9ba18a04ebf182900a0f4b94b3537d
-
SHA1
15634a3aa0a59e8154ad1ffdb5eeb8387055f213
-
SHA256
443da78d2f9696220afbc3d4705228f75d268bc6079162b2b020ec94f140a0b1
-
SHA512
6bead3d7421afef0e1e8b060c10db34eec908c863f57264c25d6cbabbd5b9b118418cc34fef3f366927f97def4782c8499780e5c008a62b9f2fbcd9af8adb8de
-
SSDEEP
98304:NNadRPPlP93efT/RehdEyiFr9/LSsTxy/rSbIixFid6fa:NaPPlPYf10i9TSsFyTSbIcFg6
Malware Config
Extracted
xworm
5.0
156.225.129.219:7000
LOfxNhTNVvGzuUp6
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000122bf-10.dat family_xworm behavioral1/memory/2628-12-0x0000000000840000-0x0000000000850000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1476 powershell.exe 800 powershell.exe 1084 powershell.exe 1676 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk newupdate.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk newupdate.exe -
Executes dropped EXE 2 IoCs
pid Process 2556 UNLOCK.exe 2628 newupdate.exe -
Loads dropped DLL 1 IoCs
pid Process 1876 SUITLOCK.exe -
resource yara_rule behavioral1/files/0x000a000000012252-4.dat vmprotect behavioral1/memory/2556-26-0x0000000140000000-0x00000001408BC000-memory.dmp vmprotect -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2556 UNLOCK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2556 UNLOCK.exe 1476 powershell.exe 800 powershell.exe 1084 powershell.exe 1676 powershell.exe 2628 newupdate.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2628 newupdate.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 2628 newupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2628 newupdate.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2556 1876 SUITLOCK.exe 28 PID 1876 wrote to memory of 2556 1876 SUITLOCK.exe 28 PID 1876 wrote to memory of 2556 1876 SUITLOCK.exe 28 PID 1876 wrote to memory of 2628 1876 SUITLOCK.exe 30 PID 1876 wrote to memory of 2628 1876 SUITLOCK.exe 30 PID 1876 wrote to memory of 2628 1876 SUITLOCK.exe 30 PID 2556 wrote to memory of 1740 2556 UNLOCK.exe 31 PID 2556 wrote to memory of 1740 2556 UNLOCK.exe 31 PID 2556 wrote to memory of 1740 2556 UNLOCK.exe 31 PID 1740 wrote to memory of 2548 1740 cmd.exe 32 PID 1740 wrote to memory of 2548 1740 cmd.exe 32 PID 1740 wrote to memory of 2548 1740 cmd.exe 32 PID 2628 wrote to memory of 1476 2628 newupdate.exe 34 PID 2628 wrote to memory of 1476 2628 newupdate.exe 34 PID 2628 wrote to memory of 1476 2628 newupdate.exe 34 PID 2628 wrote to memory of 800 2628 newupdate.exe 36 PID 2628 wrote to memory of 800 2628 newupdate.exe 36 PID 2628 wrote to memory of 800 2628 newupdate.exe 36 PID 2628 wrote to memory of 1084 2628 newupdate.exe 38 PID 2628 wrote to memory of 1084 2628 newupdate.exe 38 PID 2628 wrote to memory of 1084 2628 newupdate.exe 38 PID 2628 wrote to memory of 1676 2628 newupdate.exe 40 PID 2628 wrote to memory of 1676 2628 newupdate.exe 40 PID 2628 wrote to memory of 1676 2628 newupdate.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\UNLOCK.exe"C:\Users\Admin\UNLOCK.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode 70,103⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\mode.commode 70,104⤵PID:2548
-
-
-
-
C:\Users\Admin\newupdate.exe"C:\Users\Admin\newupdate.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\newupdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'newupdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\csrss'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54657cd82bd0f822cd811c7c23ec8e26a
SHA1d0ee35697435e9d52d13a58955ad7feebec626ff
SHA256fb83607fda323bfbd6e7977183ef23ddafa8d6fa0823b4cb63b997354e70cff6
SHA512ba3360419f3f77508910e67e107b6ecba4658cd4a4c860e6df696b432bc8bd0ecdf12f5b9158884a69bf24e717e69c6794ad1ddd18d41a407b11ed0996a2ee7d
-
Filesize
40KB
MD56663d561874fb21e3bd67c9e68f09ac0
SHA19f8ad93ba4e60844250d624e25a8d421281c6d94
SHA256a8cfdcf2308be48989bc7993ceb61e0ecb7930f8a154b2e5d2c78f2f5a5c3802
SHA5128ff50e5aa96e6600663b8e0935548c8cd1477b0c483c2f7ba0f8808ad6a21c48eb7655c87daeda6695d4ea4cc0db26161e1367eb712f67fb199c26bc5fcc3c6f
-
Filesize
5.0MB
MD536c166ba7ab01d11bc9eecfd87af3d63
SHA12872c0d4200037adfdbd2129b65a3cae51547f09
SHA256b3d90d187c2b7f8068a447d296410dd279a3f39330dc5c57e1038ba6421bc548
SHA512694260d62d61ca29b7393dbc059bfd01769cb6475eddd045dd309abaa07388e1e73ca2bceab855adca8f73157a5c4dfdbd25435bf6d62778285e7ed62508c191