Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 11:42
Static task
static1
Behavioral task
behavioral1
Sample
SUITLOCK.exe
Resource
win7-20240221-en
General
-
Target
SUITLOCK.exe
-
Size
5.1MB
-
MD5
6f9ba18a04ebf182900a0f4b94b3537d
-
SHA1
15634a3aa0a59e8154ad1ffdb5eeb8387055f213
-
SHA256
443da78d2f9696220afbc3d4705228f75d268bc6079162b2b020ec94f140a0b1
-
SHA512
6bead3d7421afef0e1e8b060c10db34eec908c863f57264c25d6cbabbd5b9b118418cc34fef3f366927f97def4782c8499780e5c008a62b9f2fbcd9af8adb8de
-
SSDEEP
98304:NNadRPPlP93efT/RehdEyiFr9/LSsTxy/rSbIixFid6fa:NaPPlPYf10i9TSsFyTSbIcFg6
Malware Config
Extracted
xworm
5.0
156.225.129.219:7000
LOfxNhTNVvGzuUp6
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023428-22.dat family_xworm behavioral2/memory/3648-48-0x0000000000410000-0x0000000000420000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2120 powershell.exe 4180 powershell.exe 100 powershell.exe 1304 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation newupdate.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation SUITLOCK.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk newupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk newupdate.exe -
Executes dropped EXE 2 IoCs
pid Process 2472 UNLOCK.exe 3648 newupdate.exe -
resource yara_rule behavioral2/files/0x000b000000023385-6.dat vmprotect behavioral2/memory/2472-54-0x0000000140000000-0x00000001408BC000-memory.dmp vmprotect behavioral2/memory/2472-58-0x0000000140000000-0x00000001408BC000-memory.dmp vmprotect -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2472 UNLOCK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2472 UNLOCK.exe 2472 UNLOCK.exe 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 4180 powershell.exe 4180 powershell.exe 4180 powershell.exe 100 powershell.exe 100 powershell.exe 100 powershell.exe 1304 powershell.exe 1304 powershell.exe 1304 powershell.exe 3648 newupdate.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3648 newupdate.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeDebugPrivilege 100 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 3648 newupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3648 newupdate.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3364 wrote to memory of 2472 3364 SUITLOCK.exe 84 PID 3364 wrote to memory of 2472 3364 SUITLOCK.exe 84 PID 3364 wrote to memory of 3648 3364 SUITLOCK.exe 86 PID 3364 wrote to memory of 3648 3364 SUITLOCK.exe 86 PID 2472 wrote to memory of 4844 2472 UNLOCK.exe 89 PID 2472 wrote to memory of 4844 2472 UNLOCK.exe 89 PID 4844 wrote to memory of 732 4844 cmd.exe 90 PID 4844 wrote to memory of 732 4844 cmd.exe 90 PID 3648 wrote to memory of 2120 3648 newupdate.exe 96 PID 3648 wrote to memory of 2120 3648 newupdate.exe 96 PID 3648 wrote to memory of 4180 3648 newupdate.exe 99 PID 3648 wrote to memory of 4180 3648 newupdate.exe 99 PID 3648 wrote to memory of 100 3648 newupdate.exe 101 PID 3648 wrote to memory of 100 3648 newupdate.exe 101 PID 3648 wrote to memory of 1304 3648 newupdate.exe 103 PID 3648 wrote to memory of 1304 3648 newupdate.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"C:\Users\Admin\AppData\Local\Temp\SUITLOCK.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\UNLOCK.exe"C:\Users\Admin\UNLOCK.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode 70,103⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\system32\mode.commode 70,104⤵PID:732
-
-
-
-
C:\Users\Admin\newupdate.exe"C:\Users\Admin\newupdate.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\newupdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'newupdate.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\csrss'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD55436d948c5a2fd929db90a9c805ec461
SHA13787c5c5283aefc05f89397e54faf61723295208
SHA2568e628eeba175c8edd18dfc098d6f70fac57c85922cf145a5a27c00bbe1a7513a
SHA512c12ab68a377fd59c7fd867c195dfc73e21df975e7abcab266c028f4ff2a8d96f95bfded27bf5d6fb683e8b22e09cbf9bbfe7b59be8de985344b1956a61a2ade7
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5d2455b3aa53311e2612d7a37b4dbbd4a
SHA192ea5f85565bd1d163f9e5874d40b8d5f79ca7c4
SHA256fe3555cddb9b9688a566b47c182747d0ca0ad4abcb8ed09e57213235ba781802
SHA51298f6334ebe9978f7eae109f394c02d842392977cc758df4804a974ab7bff22fb1e79f12439e7fc78f798f8f5eb54c27bbdfe8e23f10acd3444b21ec937669845
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.0MB
MD536c166ba7ab01d11bc9eecfd87af3d63
SHA12872c0d4200037adfdbd2129b65a3cae51547f09
SHA256b3d90d187c2b7f8068a447d296410dd279a3f39330dc5c57e1038ba6421bc548
SHA512694260d62d61ca29b7393dbc059bfd01769cb6475eddd045dd309abaa07388e1e73ca2bceab855adca8f73157a5c4dfdbd25435bf6d62778285e7ed62508c191
-
Filesize
40KB
MD56663d561874fb21e3bd67c9e68f09ac0
SHA19f8ad93ba4e60844250d624e25a8d421281c6d94
SHA256a8cfdcf2308be48989bc7993ceb61e0ecb7930f8a154b2e5d2c78f2f5a5c3802
SHA5128ff50e5aa96e6600663b8e0935548c8cd1477b0c483c2f7ba0f8808ad6a21c48eb7655c87daeda6695d4ea4cc0db26161e1367eb712f67fb199c26bc5fcc3c6f