Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 12:51
Static task
static1
Behavioral task
behavioral1
Sample
Bypass3_Pure_Mode.exe
Resource
win7-20240508-en
General
-
Target
Bypass3_Pure_Mode.exe
-
Size
724KB
-
MD5
6e1e63e97c09758e3db18ea31bd95284
-
SHA1
6f4a188d43122d22a14459123764a094ed56b37c
-
SHA256
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
-
SHA512
0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
-
SSDEEP
12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8
Malware Config
Extracted
xworm
5.0
45.141.27.41:7000
9ZF9ZsOZGh1T1r1n
-
Install_directory
%Public%
-
install_file
csrss.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\XClient.exe family_xworm behavioral1/memory/2668-12-0x00000000001F0000-0x0000000000200000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1296 powershell.exe 2972 powershell.exe 1060 powershell.exe 344 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
example.exeXClient.exepid process 1276 example.exe 2668 XClient.exe -
Loads dropped DLL 1 IoCs
Processes:
Bypass3_Pure_Mode.exepid process 2164 Bypass3_Pure_Mode.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
example.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 1276 example.exe 1276 example.exe 1276 example.exe 1276 example.exe 1276 example.exe 1296 powershell.exe 2972 powershell.exe 1060 powershell.exe 344 powershell.exe 2668 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2668 XClient.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 344 powershell.exe Token: SeDebugPrivilege 2668 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2668 XClient.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Bypass3_Pure_Mode.exeexample.execmd.exeXClient.exedescription pid process target process PID 2164 wrote to memory of 1276 2164 Bypass3_Pure_Mode.exe example.exe PID 2164 wrote to memory of 1276 2164 Bypass3_Pure_Mode.exe example.exe PID 2164 wrote to memory of 1276 2164 Bypass3_Pure_Mode.exe example.exe PID 2164 wrote to memory of 2668 2164 Bypass3_Pure_Mode.exe XClient.exe PID 2164 wrote to memory of 2668 2164 Bypass3_Pure_Mode.exe XClient.exe PID 2164 wrote to memory of 2668 2164 Bypass3_Pure_Mode.exe XClient.exe PID 1276 wrote to memory of 1932 1276 example.exe cmd.exe PID 1276 wrote to memory of 1932 1276 example.exe cmd.exe PID 1276 wrote to memory of 1932 1276 example.exe cmd.exe PID 1932 wrote to memory of 2664 1932 cmd.exe certutil.exe PID 1932 wrote to memory of 2664 1932 cmd.exe certutil.exe PID 1932 wrote to memory of 2664 1932 cmd.exe certutil.exe PID 1932 wrote to memory of 2624 1932 cmd.exe find.exe PID 1932 wrote to memory of 2624 1932 cmd.exe find.exe PID 1932 wrote to memory of 2624 1932 cmd.exe find.exe PID 1932 wrote to memory of 2792 1932 cmd.exe find.exe PID 1932 wrote to memory of 2792 1932 cmd.exe find.exe PID 1932 wrote to memory of 2792 1932 cmd.exe find.exe PID 2668 wrote to memory of 1296 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 1296 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 1296 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 2972 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 2972 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 2972 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 1060 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 1060 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 1060 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 344 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 344 2668 XClient.exe powershell.exe PID 2668 wrote to memory of 344 2668 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bypass3_Pure_Mode.exe"C:\Users\Admin\AppData\Local\Temp\Bypass3_Pure_Mode.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\example.exe"C:\Users\Admin\example.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\example.exe" MD54⤵
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵
-
C:\Users\Admin\XClient.exe"C:\Users\Admin\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD58ad400236dd9a680a5cf078da5d065e0
SHA1fae1e7bd4a81cf22780c315c2ab80272e0542606
SHA2564f78ed16cee8676c277f1f01060dd22ca5a31c48c6654735e545bf5ac04b6bcb
SHA5124e1b34f3ac13f2eb8737131d084474d22a5020f771d28e007ba1b5ed7ead13ea926b5fcb1927283bfb56284a8abf0b1ecde58b7d012e4abfc206cb511134ace0
-
C:\Users\Admin\XClient.exeFilesize
40KB
MD57ea387ab126b2ecf3365d448a318a433
SHA171b6e05898b68ed72ca95266d6293b225c40b612
SHA256573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015
SHA51268830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825
-
C:\Users\Admin\example.exeFilesize
673KB
MD556a9b5d3e447355a8d29a2d02a00b70c
SHA1af802aab037d6ae208b040e4e0b629665f208394
SHA2568d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1
SHA512c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1296-19-0x000000001B6C0000-0x000000001B9A2000-memory.dmpFilesize
2.9MB
-
memory/1296-20-0x0000000002920000-0x0000000002928000-memory.dmpFilesize
32KB
-
memory/2164-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmpFilesize
4KB
-
memory/2164-1-0x0000000000F80000-0x000000000103C000-memory.dmpFilesize
752KB
-
memory/2668-14-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/2668-12-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/2668-43-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmpFilesize
9.9MB
-
memory/2972-27-0x0000000001FC0000-0x0000000001FC8000-memory.dmpFilesize
32KB
-
memory/2972-26-0x000000001B850000-0x000000001BB32000-memory.dmpFilesize
2.9MB