Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-05-2024 17:29
Static task
static1
Behavioral task
behavioral1
Sample
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
Resource
win10v2004-20240226-en
General
-
Target
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
-
Size
724KB
-
MD5
6e1e63e97c09758e3db18ea31bd95284
-
SHA1
6f4a188d43122d22a14459123764a094ed56b37c
-
SHA256
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
-
SHA512
0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
-
SSDEEP
12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8
Malware Config
Extracted
xworm
5.0
45.141.27.41:7000
9ZF9ZsOZGh1T1r1n
-
Install_directory
%Public%
-
install_file
csrss.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\XClient.exe family_xworm behavioral2/memory/3960-49-0x0000000000FA0000-0x0000000000FB0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3120 powershell.exe 2168 powershell.exe 4640 powershell.exe 4912 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
example.exeXClient.exepid process 3292 example.exe 3960 XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
example.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 3292 example.exe 3292 example.exe 3292 example.exe 3292 example.exe 3292 example.exe 3292 example.exe 3292 example.exe 3292 example.exe 3292 example.exe 3292 example.exe 3120 powershell.exe 3120 powershell.exe 2168 powershell.exe 2168 powershell.exe 4640 powershell.exe 4640 powershell.exe 4912 powershell.exe 4912 powershell.exe 3960 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3960 XClient.exe Token: SeDebugPrivilege 3120 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 4640 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 3960 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 3960 XClient.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exeexample.execmd.exeXClient.exedescription pid process target process PID 4368 wrote to memory of 3292 4368 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe example.exe PID 4368 wrote to memory of 3292 4368 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe example.exe PID 4368 wrote to memory of 3960 4368 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe XClient.exe PID 4368 wrote to memory of 3960 4368 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe XClient.exe PID 3292 wrote to memory of 2340 3292 example.exe cmd.exe PID 3292 wrote to memory of 2340 3292 example.exe cmd.exe PID 2340 wrote to memory of 2716 2340 cmd.exe certutil.exe PID 2340 wrote to memory of 2716 2340 cmd.exe certutil.exe PID 2340 wrote to memory of 2232 2340 cmd.exe find.exe PID 2340 wrote to memory of 2232 2340 cmd.exe find.exe PID 2340 wrote to memory of 4036 2340 cmd.exe find.exe PID 2340 wrote to memory of 4036 2340 cmd.exe find.exe PID 3960 wrote to memory of 3120 3960 XClient.exe powershell.exe PID 3960 wrote to memory of 3120 3960 XClient.exe powershell.exe PID 3960 wrote to memory of 2168 3960 XClient.exe powershell.exe PID 3960 wrote to memory of 2168 3960 XClient.exe powershell.exe PID 3960 wrote to memory of 4640 3960 XClient.exe powershell.exe PID 3960 wrote to memory of 4640 3960 XClient.exe powershell.exe PID 3960 wrote to memory of 4912 3960 XClient.exe powershell.exe PID 3960 wrote to memory of 4912 3960 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe"C:\Users\Admin\AppData\Local\Temp\2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\example.exe"C:\Users\Admin\example.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\example.exe" MD54⤵
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵
-
C:\Users\Admin\XClient.exe"C:\Users\Admin\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5795938d4c6e7dbca544ec4bdca81c53a
SHA10ca41665a9b6b0c3159211aed5fc595de98afb6b
SHA256dc400265ecb7f850894b2b648b956964d4fe75639f76bb3634a1f73c3182dbcb
SHA51219d36e5b648a1d5faa7d7d67d454f0157f99a546532bcf538b1ff81b4acc126124ea937e143a49eb91dce2e657a53378b327078aaacb5c2a8c54a5249a5efff5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsi1tj4l.1hv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\XClient.exeFilesize
40KB
MD57ea387ab126b2ecf3365d448a318a433
SHA171b6e05898b68ed72ca95266d6293b225c40b612
SHA256573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015
SHA51268830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825
-
C:\Users\Admin\example.exeFilesize
673KB
MD556a9b5d3e447355a8d29a2d02a00b70c
SHA1af802aab037d6ae208b040e4e0b629665f208394
SHA2568d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1
SHA512c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081
-
memory/3120-59-0x00000240E3620000-0x00000240E3642000-memory.dmpFilesize
136KB
-
memory/3960-50-0x00007FFC63370000-0x00007FFC63E32000-memory.dmpFilesize
10.8MB
-
memory/3960-49-0x0000000000FA0000-0x0000000000FB0000-memory.dmpFilesize
64KB
-
memory/3960-97-0x00007FFC63370000-0x00007FFC63E32000-memory.dmpFilesize
10.8MB
-
memory/4368-0-0x00007FFC63373000-0x00007FFC63375000-memory.dmpFilesize
8KB
-
memory/4368-1-0x0000000000830000-0x00000000008EC000-memory.dmpFilesize
752KB