Analysis
-
max time kernel
139s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 06:41
General
-
Target
XClienww.exe
-
Size
30KB
-
MD5
69c83edef0d409cb392d39b953540dd9
-
SHA1
c9284521655bb3e4f78e80288f4d2a2dbddbafaf
-
SHA256
2eef7833fa4b54da04b6c5043efbe11e5dd151a70b2fcc290251d5ee1a34f6dc
-
SHA512
e89317e0c898c695b8fd6c54372ea52f663f40c6be27ac86008d701be0f844d6cf81815a417118b09d7ef323be1e095e722fb1960c3d8bc07e7c3e17121bc807
-
SSDEEP
384:L7wTA+5OfPgEBQqWvfcQLZe3sr0hYACSqRFYjY2uRugtFuBLTIOZw/WVnvn9IkVe:LrgECfLHrMYAoRF72uBFE9RIOqh+bU
Malware Config
Extracted
xworm
3.1
built-illegal.gl.at.ply.gg:51660
Wb5UffKZlzIeq5KM
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/228-1-0x00000000001E0000-0x00000000001EE000-memory.dmp family_xworm -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3464 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XClienww.exedescription pid process Token: SeDebugPrivilege 228 XClienww.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
XClienww.execmd.exedescription pid process target process PID 228 wrote to memory of 2668 228 XClienww.exe cmd.exe PID 228 wrote to memory of 2668 228 XClienww.exe cmd.exe PID 2668 wrote to memory of 3464 2668 cmd.exe timeout.exe PID 2668 wrote to memory of 3464 2668 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClienww.exe"C:\Users\Admin\AppData\Local\Temp\XClienww.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3CD5.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:81⤵PID:4888
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3CD5.tmp.batFilesize
160B
MD500f563e43af74a0dfb68818bec9ddbb3
SHA1790f69e5c38eae06aea67662c43be0088453e55e
SHA25665819b0525546e7bac97f2c614124c84c487572de3892ca94bbe423065c15447
SHA512ef12758c20da5c785cc2e60dcba0ef5cbf06ef65bf9d5534406623ff7711e7110491503eb6aca27e39a72476af5e7d884ac0e832ddb96a69b00e6bee00581804
-
memory/228-0-0x00007FF990513000-0x00007FF990515000-memory.dmpFilesize
8KB
-
memory/228-1-0x00000000001E0000-0x00000000001EE000-memory.dmpFilesize
56KB
-
memory/228-2-0x00007FF990510000-0x00007FF990FD1000-memory.dmpFilesize
10.8MB
-
memory/228-3-0x000000001AF20000-0x000000001AF2A000-memory.dmpFilesize
40KB
-
memory/228-4-0x00007FF990513000-0x00007FF990515000-memory.dmpFilesize
8KB
-
memory/228-9-0x00007FF990510000-0x00007FF990FD1000-memory.dmpFilesize
10.8MB