Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 11:42
Static task
static1
Behavioral task
behavioral1
Sample
SUITLOCK.exe
Resource
win7-20240221-en
General
-
Target
SUITLOCK.exe
-
Size
5.1MB
-
MD5
6f9ba18a04ebf182900a0f4b94b3537d
-
SHA1
15634a3aa0a59e8154ad1ffdb5eeb8387055f213
-
SHA256
443da78d2f9696220afbc3d4705228f75d268bc6079162b2b020ec94f140a0b1
-
SHA512
6bead3d7421afef0e1e8b060c10db34eec908c863f57264c25d6cbabbd5b9b118418cc34fef3f366927f97def4782c8499780e5c008a62b9f2fbcd9af8adb8de
-
SSDEEP
98304:NNadRPPlP93efT/RehdEyiFr9/LSsTxy/rSbIixFid6fa:NaPPlPYf10i9TSsFyTSbIcFg6
Malware Config
Extracted
xworm
5.0
156.225.129.219:7000
LOfxNhTNVvGzuUp6
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000016d01-10.dat family_xworm behavioral1/memory/2868-12-0x00000000011D0000-0x00000000011E0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2396 powershell.exe 2376 powershell.exe 1032 powershell.exe 2712 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk newupdate.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk newupdate.exe -
Executes dropped EXE 2 IoCs
pid Process 2296 UNLOCK.exe 2868 newupdate.exe -
Loads dropped DLL 1 IoCs
pid Process 2236 SUITLOCK.exe -
resource yara_rule behavioral1/files/0x0009000000016cf0-6.dat vmprotect behavioral1/memory/2296-26-0x0000000140000000-0x00000001408BC000-memory.dmp vmprotect -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2296 UNLOCK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2296 UNLOCK.exe 2712 powershell.exe 2396 powershell.exe 2376 powershell.exe 1032 powershell.exe 2868 newupdate.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2868 newupdate.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 2868 newupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2868 newupdate.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2296 2236 SUITLOCK.exe 28 PID 2236 wrote to memory of 2296 2236 SUITLOCK.exe 28 PID 2236 wrote to memory of 2296 2236 SUITLOCK.exe 28 PID 2236 wrote to memory of 2868 2236 SUITLOCK.exe 30 PID 2236 wrote to memory of 2868 2236 SUITLOCK.exe 30 PID 2236 wrote to memory of 2868 2236 SUITLOCK.exe 30 PID 2296 wrote to memory of 2572 2296 UNLOCK.exe 31 PID 2296 wrote to memory of 2572 2296 UNLOCK.exe 31 PID 2296 wrote to memory of 2572 2296 UNLOCK.exe 31 PID 2572 wrote to memory of 2852 2572 cmd.exe 32 PID 2572 wrote to memory of 2852 2572 cmd.exe 32 PID 2572 wrote to memory of 2852 2572 cmd.exe 32 PID 2868 wrote to memory of 2712 2868 newupdate.exe 34 PID 2868 wrote to memory of 2712 2868 newupdate.exe 34 PID 2868 wrote to memory of 2712 2868 newupdate.exe 34 PID 2868 wrote to memory of 2396 2868 newupdate.exe 36 PID 2868 wrote to memory of 2396 2868 newupdate.exe 36 PID 2868 wrote to memory of 2396 2868 newupdate.exe 36 PID 2868 wrote to memory of 2376 2868 newupdate.exe 38 PID 2868 wrote to memory of 2376 2868 newupdate.exe 38 PID 2868 wrote to memory of 2376 2868 newupdate.exe 38 PID 2868 wrote to memory of 1032 2868 newupdate.exe 40 PID 2868 wrote to memory of 1032 2868 newupdate.exe 40 PID 2868 wrote to memory of 1032 2868 newupdate.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\UNLOCK.exe"C:\Users\Admin\UNLOCK.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode 70,103⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\mode.commode 70,104⤵PID:2852
-
-
-
-
C:\Users\Admin\newupdate.exe"C:\Users\Admin\newupdate.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\newupdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'newupdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\csrss'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5880c20b51367d72b18b721d30b98a356
SHA1b127e05ff349eb9b99872de07a07f6b92883659c
SHA256f360c37f4fd9d2b477d15b64884f0f4b045415909d215c359de1f8e57bcf5faf
SHA512f7bc63712b664ffa6c90e108fd580bdd170a26daf632836f5f354590be94b24037e241772387a9239657d9ac95e22131ab8334fb689c932dcc296d837c51c384
-
Filesize
5.0MB
MD536c166ba7ab01d11bc9eecfd87af3d63
SHA12872c0d4200037adfdbd2129b65a3cae51547f09
SHA256b3d90d187c2b7f8068a447d296410dd279a3f39330dc5c57e1038ba6421bc548
SHA512694260d62d61ca29b7393dbc059bfd01769cb6475eddd045dd309abaa07388e1e73ca2bceab855adca8f73157a5c4dfdbd25435bf6d62778285e7ed62508c191
-
Filesize
40KB
MD56663d561874fb21e3bd67c9e68f09ac0
SHA19f8ad93ba4e60844250d624e25a8d421281c6d94
SHA256a8cfdcf2308be48989bc7993ceb61e0ecb7930f8a154b2e5d2c78f2f5a5c3802
SHA5128ff50e5aa96e6600663b8e0935548c8cd1477b0c483c2f7ba0f8808ad6a21c48eb7655c87daeda6695d4ea4cc0db26161e1367eb712f67fb199c26bc5fcc3c6f