Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 17:20
Static task
static1
Behavioral task
behavioral1
Sample
6e1e63e97c09758e3db18ea31bd95284.exe
Resource
win7-20240221-en
General
-
Target
6e1e63e97c09758e3db18ea31bd95284.exe
-
Size
724KB
-
MD5
6e1e63e97c09758e3db18ea31bd95284
-
SHA1
6f4a188d43122d22a14459123764a094ed56b37c
-
SHA256
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
-
SHA512
0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
-
SSDEEP
12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8
Malware Config
Extracted
xworm
5.0
45.141.27.41:7000
9ZF9ZsOZGh1T1r1n
-
Install_directory
%Public%
-
install_file
csrss.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\XClient.exe family_xworm behavioral1/memory/1820-12-0x0000000000F30000-0x0000000000F40000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1164 powershell.exe 2404 powershell.exe 2456 powershell.exe 2532 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
example.exeXClient.exepid process 2236 example.exe 1820 XClient.exe -
Loads dropped DLL 1 IoCs
Processes:
6e1e63e97c09758e3db18ea31bd95284.exepid process 1664 6e1e63e97c09758e3db18ea31bd95284.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
example.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 2236 example.exe 2236 example.exe 2236 example.exe 2236 example.exe 2236 example.exe 1164 powershell.exe 2404 powershell.exe 2456 powershell.exe 2532 powershell.exe 1820 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1820 XClient.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 1820 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 1820 XClient.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
6e1e63e97c09758e3db18ea31bd95284.exeexample.execmd.exeXClient.exedescription pid process target process PID 1664 wrote to memory of 2236 1664 6e1e63e97c09758e3db18ea31bd95284.exe example.exe PID 1664 wrote to memory of 2236 1664 6e1e63e97c09758e3db18ea31bd95284.exe example.exe PID 1664 wrote to memory of 2236 1664 6e1e63e97c09758e3db18ea31bd95284.exe example.exe PID 1664 wrote to memory of 1820 1664 6e1e63e97c09758e3db18ea31bd95284.exe XClient.exe PID 1664 wrote to memory of 1820 1664 6e1e63e97c09758e3db18ea31bd95284.exe XClient.exe PID 1664 wrote to memory of 1820 1664 6e1e63e97c09758e3db18ea31bd95284.exe XClient.exe PID 2236 wrote to memory of 1204 2236 example.exe cmd.exe PID 2236 wrote to memory of 1204 2236 example.exe cmd.exe PID 2236 wrote to memory of 1204 2236 example.exe cmd.exe PID 1204 wrote to memory of 1532 1204 cmd.exe certutil.exe PID 1204 wrote to memory of 1532 1204 cmd.exe certutil.exe PID 1204 wrote to memory of 1532 1204 cmd.exe certutil.exe PID 1204 wrote to memory of 1636 1204 cmd.exe find.exe PID 1204 wrote to memory of 1636 1204 cmd.exe find.exe PID 1204 wrote to memory of 1636 1204 cmd.exe find.exe PID 1204 wrote to memory of 1124 1204 cmd.exe find.exe PID 1204 wrote to memory of 1124 1204 cmd.exe find.exe PID 1204 wrote to memory of 1124 1204 cmd.exe find.exe PID 1820 wrote to memory of 1164 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 1164 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 1164 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2404 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2404 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2404 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2456 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2456 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2456 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2532 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2532 1820 XClient.exe powershell.exe PID 1820 wrote to memory of 2532 1820 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e1e63e97c09758e3db18ea31bd95284.exe"C:\Users\Admin\AppData\Local\Temp\6e1e63e97c09758e3db18ea31bd95284.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\example.exe"C:\Users\Admin\example.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\example.exe" MD54⤵
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵
-
C:\Users\Admin\XClient.exe"C:\Users\Admin\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e8ca28d2728d612e971839a3532d9be5
SHA1c7b547c63f954d0e5b6f6b6374170538c3bc6364
SHA256f2261ee53514b15491fd112bd1e9df96df3fdcc75e42dad3292704bfce671ce6
SHA512618f62067ed08c9530e5679cfcb6cf6dc1746fa183474ebed48e388925e54712eba528effb5f2db69fa162acdf16e3bf4d61c093b044df02b277b339c8a55551
-
C:\Users\Admin\XClient.exeFilesize
40KB
MD57ea387ab126b2ecf3365d448a318a433
SHA171b6e05898b68ed72ca95266d6293b225c40b612
SHA256573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015
SHA51268830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\example.exeFilesize
673KB
MD556a9b5d3e447355a8d29a2d02a00b70c
SHA1af802aab037d6ae208b040e4e0b629665f208394
SHA2568d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1
SHA512c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081
-
memory/1164-21-0x0000000002060000-0x0000000002068000-memory.dmpFilesize
32KB
-
memory/1164-20-0x000000001B3A0000-0x000000001B682000-memory.dmpFilesize
2.9MB
-
memory/1664-0-0x000007FEF64E3000-0x000007FEF64E4000-memory.dmpFilesize
4KB
-
memory/1664-1-0x0000000001360000-0x000000000141C000-memory.dmpFilesize
752KB
-
memory/1820-14-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmpFilesize
9.9MB
-
memory/1820-15-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmpFilesize
9.9MB
-
memory/1820-12-0x0000000000F30000-0x0000000000F40000-memory.dmpFilesize
64KB
-
memory/1820-44-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmpFilesize
9.9MB
-
memory/1820-45-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmpFilesize
9.9MB
-
memory/2404-27-0x000000001B310000-0x000000001B5F2000-memory.dmpFilesize
2.9MB
-
memory/2404-28-0x0000000002390000-0x0000000002398000-memory.dmpFilesize
32KB