Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 11:42

General

  • Target

    SUITLOCK.exe

  • Size

    5.1MB

  • MD5

    6f9ba18a04ebf182900a0f4b94b3537d

  • SHA1

    15634a3aa0a59e8154ad1ffdb5eeb8387055f213

  • SHA256

    443da78d2f9696220afbc3d4705228f75d268bc6079162b2b020ec94f140a0b1

  • SHA512

    6bead3d7421afef0e1e8b060c10db34eec908c863f57264c25d6cbabbd5b9b118418cc34fef3f366927f97def4782c8499780e5c008a62b9f2fbcd9af8adb8de

  • SSDEEP

    98304:NNadRPPlP93efT/RehdEyiFr9/LSsTxy/rSbIixFid6fa:NaPPlPYf10i9TSsFyTSbIcFg6

Malware Config

Extracted

Family

xworm

Version

5.0

C2

156.225.129.219:7000

Mutex

LOfxNhTNVvGzuUp6

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe
    "C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\UNLOCK.exe
      "C:\Users\Admin\UNLOCK.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c mode 70,10
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\system32\mode.com
          mode 70,10
          4⤵
            PID:2852
      • C:\Users\Admin\newupdate.exe
        "C:\Users\Admin\newupdate.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\newupdate.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'newupdate.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\csrss'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2376
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      880c20b51367d72b18b721d30b98a356

      SHA1

      b127e05ff349eb9b99872de07a07f6b92883659c

      SHA256

      f360c37f4fd9d2b477d15b64884f0f4b045415909d215c359de1f8e57bcf5faf

      SHA512

      f7bc63712b664ffa6c90e108fd580bdd170a26daf632836f5f354590be94b24037e241772387a9239657d9ac95e22131ab8334fb689c932dcc296d837c51c384

    • C:\Users\Admin\UNLOCK.exe

      Filesize

      5.0MB

      MD5

      36c166ba7ab01d11bc9eecfd87af3d63

      SHA1

      2872c0d4200037adfdbd2129b65a3cae51547f09

      SHA256

      b3d90d187c2b7f8068a447d296410dd279a3f39330dc5c57e1038ba6421bc548

      SHA512

      694260d62d61ca29b7393dbc059bfd01769cb6475eddd045dd309abaa07388e1e73ca2bceab855adca8f73157a5c4dfdbd25435bf6d62778285e7ed62508c191

    • C:\Users\Admin\newupdate.exe

      Filesize

      40KB

      MD5

      6663d561874fb21e3bd67c9e68f09ac0

      SHA1

      9f8ad93ba4e60844250d624e25a8d421281c6d94

      SHA256

      a8cfdcf2308be48989bc7993ceb61e0ecb7930f8a154b2e5d2c78f2f5a5c3802

      SHA512

      8ff50e5aa96e6600663b8e0935548c8cd1477b0c483c2f7ba0f8808ad6a21c48eb7655c87daeda6695d4ea4cc0db26161e1367eb712f67fb199c26bc5fcc3c6f

    • memory/2236-0-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp

      Filesize

      4KB

    • memory/2236-1-0x0000000000900000-0x0000000000E1E000-memory.dmp

      Filesize

      5.1MB

    • memory/2296-18-0x00000000770A0000-0x00000000770A2000-memory.dmp

      Filesize

      8KB

    • memory/2296-26-0x0000000140000000-0x00000001408BC000-memory.dmp

      Filesize

      8.7MB

    • memory/2296-25-0x00000000770B0000-0x00000000770B2000-memory.dmp

      Filesize

      8KB

    • memory/2296-23-0x00000000770B0000-0x00000000770B2000-memory.dmp

      Filesize

      8KB

    • memory/2296-21-0x00000000770B0000-0x00000000770B2000-memory.dmp

      Filesize

      8KB

    • memory/2296-20-0x00000000770A0000-0x00000000770A2000-memory.dmp

      Filesize

      8KB

    • memory/2296-15-0x0000000140080000-0x00000001403B0000-memory.dmp

      Filesize

      3.2MB

    • memory/2296-16-0x00000000770A0000-0x00000000770A2000-memory.dmp

      Filesize

      8KB

    • memory/2296-59-0x0000000140080000-0x00000001403B0000-memory.dmp

      Filesize

      3.2MB

    • memory/2396-43-0x00000000025F0000-0x00000000025F8000-memory.dmp

      Filesize

      32KB

    • memory/2396-42-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

      Filesize

      2.9MB

    • memory/2712-36-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

      Filesize

      32KB

    • memory/2712-35-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

      Filesize

      2.9MB

    • memory/2868-14-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

      Filesize

      9.9MB

    • memory/2868-12-0x00000000011D0000-0x00000000011E0000-memory.dmp

      Filesize

      64KB

    • memory/2868-58-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

      Filesize

      9.9MB

    • memory/2868-30-0x000000001B150000-0x000000001B1D0000-memory.dmp

      Filesize

      512KB

    • memory/2868-60-0x000000001B150000-0x000000001B1D0000-memory.dmp

      Filesize

      512KB