Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 01:35
Behavioral task
behavioral1
Sample
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe
-
Size
133KB
-
MD5
1e06d1f23f474c5e6ba0f279d3d3dfac
-
SHA1
307c847fafc7453a1050d85b6099b113a2790ef0
-
SHA256
eb8721bfa1bcacc08b8a8712e6a7fc6d4b69776e8b592abef9539c2fc671df50
-
SHA512
d1d5302d01fff58479385153160ab271b15f87c87cb5d7ab1df153d818ee9f109fcf8318c7622b068bb4344ab2261aca60c571e2e642d0f84e01bf15ade3c5fb
-
SSDEEP
3072:J+oM/FJZdq/Fk96ytO/fXM+lmsolAIrRuw+mqv9j1MWLQI:C/FJaNk9Ts8+lDAA
Malware Config
Extracted
xworm
5.0
103.161.170.251:7000
O5WJMXQSSZKD5Ijn
-
Install_directory
%Temp%
-
install_file
khiet.exe
-
telegram
https://api.telegram.org/bot6833541180:AAEc_LLwKd7Jex1zaN5vTaLg13uuFjIHQEU/sendMessage?chat_id=5747667034
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1708-0-0x0000000000830000-0x0000000000858000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\khiet.exe family_xworm -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1708-0-0x0000000000830000-0x0000000000858000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Local\Temp\khiet.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables using Telegram Chat Bot 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1708-0-0x0000000000830000-0x0000000000858000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot C:\Users\Admin\AppData\Local\Temp\khiet.exe INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe -
Drops startup file 2 IoCs
Processes:
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\khiet.lnk 2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\khiet.lnk 2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe -
Executes dropped EXE 2 IoCs
Processes:
khiet.exekhiet.exepid process 3772 khiet.exe 2792 khiet.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khiet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khiet.exe" 2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exekhiet.exekhiet.exedescription pid process Token: SeDebugPrivilege 1708 2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe Token: SeDebugPrivilege 3772 khiet.exe Token: SeDebugPrivilege 2792 khiet.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exedescription pid process target process PID 1708 wrote to memory of 4172 1708 2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe schtasks.exe PID 1708 wrote to memory of 4172 1708 2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_1e06d1f23f474c5e6ba0f279d3d3dfac_hiddentear.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "khiet" /tr "C:\Users\Admin\AppData\Local\Temp\khiet.exe"2⤵
- Creates scheduled task(s)
PID:4172
-
C:\Users\Admin\AppData\Local\Temp\khiet.exeC:\Users\Admin\AppData\Local\Temp\khiet.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
C:\Users\Admin\AppData\Local\Temp\khiet.exeC:\Users\Admin\AppData\Local\Temp\khiet.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\khiet.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Temp\khiet.exeFilesize
133KB
MD51e06d1f23f474c5e6ba0f279d3d3dfac
SHA1307c847fafc7453a1050d85b6099b113a2790ef0
SHA256eb8721bfa1bcacc08b8a8712e6a7fc6d4b69776e8b592abef9539c2fc671df50
SHA512d1d5302d01fff58479385153160ab271b15f87c87cb5d7ab1df153d818ee9f109fcf8318c7622b068bb4344ab2261aca60c571e2e642d0f84e01bf15ade3c5fb
-
memory/1708-0-0x0000000000830000-0x0000000000858000-memory.dmpFilesize
160KB
-
memory/1708-1-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmpFilesize
2.0MB
-
memory/1708-6-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmpFilesize
2.0MB
-
memory/1708-7-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmpFilesize
2.0MB
-
memory/3772-10-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmpFilesize
2.0MB
-
memory/3772-12-0x00007FFE78D90000-0x00007FFE78F85000-memory.dmpFilesize
2.0MB