Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 12:51
Static task
static1
Behavioral task
behavioral1
Sample
Bypass3_Pure_Mode.exe
Resource
win7-20240508-en
General
-
Target
Bypass3_Pure_Mode.exe
-
Size
724KB
-
MD5
6e1e63e97c09758e3db18ea31bd95284
-
SHA1
6f4a188d43122d22a14459123764a094ed56b37c
-
SHA256
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
-
SHA512
0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
-
SSDEEP
12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8
Malware Config
Extracted
xworm
5.0
45.141.27.41:7000
9ZF9ZsOZGh1T1r1n
-
Install_directory
%Public%
-
install_file
csrss.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\XClient.exe family_xworm behavioral2/memory/2728-48-0x0000000000F40000-0x0000000000F50000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4180 powershell.exe 768 powershell.exe 4440 powershell.exe 2600 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bypass3_Pure_Mode.exeXClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Bypass3_Pure_Mode.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
example.exeXClient.exepid process 2524 example.exe 2728 XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
example.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 2524 example.exe 2524 example.exe 2524 example.exe 2524 example.exe 2524 example.exe 2524 example.exe 2524 example.exe 2524 example.exe 2524 example.exe 2524 example.exe 2600 powershell.exe 2600 powershell.exe 4180 powershell.exe 4180 powershell.exe 4180 powershell.exe 768 powershell.exe 768 powershell.exe 768 powershell.exe 4440 powershell.exe 4440 powershell.exe 4440 powershell.exe 2728 XClient.exe 2728 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2728 XClient.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeDebugPrivilege 768 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 2728 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2728 XClient.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Bypass3_Pure_Mode.exeexample.execmd.exeXClient.exedescription pid process target process PID 224 wrote to memory of 2524 224 Bypass3_Pure_Mode.exe example.exe PID 224 wrote to memory of 2524 224 Bypass3_Pure_Mode.exe example.exe PID 224 wrote to memory of 2728 224 Bypass3_Pure_Mode.exe XClient.exe PID 224 wrote to memory of 2728 224 Bypass3_Pure_Mode.exe XClient.exe PID 2524 wrote to memory of 1468 2524 example.exe cmd.exe PID 2524 wrote to memory of 1468 2524 example.exe cmd.exe PID 1468 wrote to memory of 752 1468 cmd.exe certutil.exe PID 1468 wrote to memory of 752 1468 cmd.exe certutil.exe PID 1468 wrote to memory of 860 1468 cmd.exe find.exe PID 1468 wrote to memory of 860 1468 cmd.exe find.exe PID 1468 wrote to memory of 1312 1468 cmd.exe find.exe PID 1468 wrote to memory of 1312 1468 cmd.exe find.exe PID 2728 wrote to memory of 2600 2728 XClient.exe powershell.exe PID 2728 wrote to memory of 2600 2728 XClient.exe powershell.exe PID 2728 wrote to memory of 4180 2728 XClient.exe powershell.exe PID 2728 wrote to memory of 4180 2728 XClient.exe powershell.exe PID 2728 wrote to memory of 768 2728 XClient.exe powershell.exe PID 2728 wrote to memory of 768 2728 XClient.exe powershell.exe PID 2728 wrote to memory of 4440 2728 XClient.exe powershell.exe PID 2728 wrote to memory of 4440 2728 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bypass3_Pure_Mode.exe"C:\Users\Admin\AppData\Local\Temp\Bypass3_Pure_Mode.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\example.exe"C:\Users\Admin\example.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\example.exe" MD54⤵
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵
-
C:\Users\Admin\XClient.exe"C:\Users\Admin\XClient.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aeceee3981c528bdc5e1c635b65d223d
SHA1de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53072fa0040b347c3941144486bf30c6f
SHA1e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA51262df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hp23rcl4.b10.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\XClient.exeFilesize
40KB
MD57ea387ab126b2ecf3365d448a318a433
SHA171b6e05898b68ed72ca95266d6293b225c40b612
SHA256573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015
SHA51268830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825
-
C:\Users\Admin\example.exeFilesize
673KB
MD556a9b5d3e447355a8d29a2d02a00b70c
SHA1af802aab037d6ae208b040e4e0b629665f208394
SHA2568d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1
SHA512c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081
-
memory/224-1-0x0000000000700000-0x00000000007BC000-memory.dmpFilesize
752KB
-
memory/224-0-0x00007FF841E03000-0x00007FF841E05000-memory.dmpFilesize
8KB
-
memory/2600-61-0x000002215D340000-0x000002215D362000-memory.dmpFilesize
136KB
-
memory/2728-51-0x00007FF841E00000-0x00007FF8428C1000-memory.dmpFilesize
10.8MB
-
memory/2728-50-0x00007FF841E00000-0x00007FF8428C1000-memory.dmpFilesize
10.8MB
-
memory/2728-48-0x0000000000F40000-0x0000000000F50000-memory.dmpFilesize
64KB
-
memory/2728-102-0x00007FF841E00000-0x00007FF8428C1000-memory.dmpFilesize
10.8MB
-
memory/2728-103-0x00007FF841E00000-0x00007FF8428C1000-memory.dmpFilesize
10.8MB