Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 12:03
Static task
static1
Behavioral task
behavioral1
Sample
SUITLOCK.exe
Resource
win7-20240215-en
General
-
Target
SUITLOCK.exe
-
Size
5.1MB
-
MD5
6f9ba18a04ebf182900a0f4b94b3537d
-
SHA1
15634a3aa0a59e8154ad1ffdb5eeb8387055f213
-
SHA256
443da78d2f9696220afbc3d4705228f75d268bc6079162b2b020ec94f140a0b1
-
SHA512
6bead3d7421afef0e1e8b060c10db34eec908c863f57264c25d6cbabbd5b9b118418cc34fef3f366927f97def4782c8499780e5c008a62b9f2fbcd9af8adb8de
-
SSDEEP
98304:NNadRPPlP93efT/RehdEyiFr9/LSsTxy/rSbIixFid6fa:NaPPlPYf10i9TSsFyTSbIcFg6
Malware Config
Extracted
xworm
5.0
156.225.129.219:7000
LOfxNhTNVvGzuUp6
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023407-22.dat family_xworm behavioral2/memory/4428-48-0x00000000007D0000-0x00000000007E0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4384 powershell.exe 1056 powershell.exe 424 powershell.exe 3032 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation SUITLOCK.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation newupdate.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk newupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk newupdate.exe -
Executes dropped EXE 2 IoCs
pid Process 2084 UNLOCK.exe 4428 newupdate.exe -
resource yara_rule behavioral2/files/0x0008000000023403-6.dat vmprotect behavioral2/memory/2084-54-0x0000000140000000-0x00000001408BC000-memory.dmp vmprotect behavioral2/memory/2084-58-0x0000000140000000-0x00000001408BC000-memory.dmp vmprotect -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2084 UNLOCK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2084 UNLOCK.exe 2084 UNLOCK.exe 4384 powershell.exe 4384 powershell.exe 1056 powershell.exe 1056 powershell.exe 424 powershell.exe 424 powershell.exe 3032 powershell.exe 3032 powershell.exe 4428 newupdate.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4428 newupdate.exe Token: SeDebugPrivilege 4384 powershell.exe Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 424 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 4428 newupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4428 newupdate.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4856 wrote to memory of 2084 4856 SUITLOCK.exe 82 PID 4856 wrote to memory of 2084 4856 SUITLOCK.exe 82 PID 4856 wrote to memory of 4428 4856 SUITLOCK.exe 84 PID 4856 wrote to memory of 4428 4856 SUITLOCK.exe 84 PID 2084 wrote to memory of 1020 2084 UNLOCK.exe 86 PID 2084 wrote to memory of 1020 2084 UNLOCK.exe 86 PID 1020 wrote to memory of 5024 1020 cmd.exe 87 PID 1020 wrote to memory of 5024 1020 cmd.exe 87 PID 4428 wrote to memory of 4384 4428 newupdate.exe 95 PID 4428 wrote to memory of 4384 4428 newupdate.exe 95 PID 4428 wrote to memory of 1056 4428 newupdate.exe 97 PID 4428 wrote to memory of 1056 4428 newupdate.exe 97 PID 4428 wrote to memory of 424 4428 newupdate.exe 99 PID 4428 wrote to memory of 424 4428 newupdate.exe 99 PID 4428 wrote to memory of 3032 4428 newupdate.exe 101 PID 4428 wrote to memory of 3032 4428 newupdate.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\UNLOCK.exe"C:\Users\Admin\UNLOCK.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode 70,103⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\mode.commode 70,104⤵PID:5024
-
-
-
-
C:\Users\Admin\newupdate.exe"C:\Users\Admin\newupdate.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\newupdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'newupdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\csrss'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD519a9aede3e8e2ec988f259f5376c05b1
SHA19c266bc2d25767e348f94a862fcfc2480af60ec4
SHA256410fe8254ed16d5d9fabd39f5d462684354fa5a953cb827852cc570849ccb5d8
SHA512cdcd954967a346088107509ba5f7a92de6e244106091acd98071d482a144d5da000ee1894eacd8ce5e8f94ab55381719791ce313512a656346422189c10d9d39
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.0MB
MD536c166ba7ab01d11bc9eecfd87af3d63
SHA12872c0d4200037adfdbd2129b65a3cae51547f09
SHA256b3d90d187c2b7f8068a447d296410dd279a3f39330dc5c57e1038ba6421bc548
SHA512694260d62d61ca29b7393dbc059bfd01769cb6475eddd045dd309abaa07388e1e73ca2bceab855adca8f73157a5c4dfdbd25435bf6d62778285e7ed62508c191
-
Filesize
40KB
MD56663d561874fb21e3bd67c9e68f09ac0
SHA19f8ad93ba4e60844250d624e25a8d421281c6d94
SHA256a8cfdcf2308be48989bc7993ceb61e0ecb7930f8a154b2e5d2c78f2f5a5c3802
SHA5128ff50e5aa96e6600663b8e0935548c8cd1477b0c483c2f7ba0f8808ad6a21c48eb7655c87daeda6695d4ea4cc0db26161e1367eb712f67fb199c26bc5fcc3c6f