Analysis
-
max time kernel
127s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 08:23
Behavioral task
behavioral1
Sample
lunarium.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
lunarium.exe
Resource
win10v2004-20240508-en
General
-
Target
lunarium.exe
-
Size
150KB
-
MD5
d5c26e12be6264033efd9e5e0662a953
-
SHA1
e4570cecc53e5e916c06e38c62221f27af7a1225
-
SHA256
28c951715ea1f1e20db6e2694c8b9676837190d4ff1c49c6c9f7cb41b899a91b
-
SHA512
adbb48ebda59c9b804ddaf4561a0679436987d6deef883d632f0eeb30adbc9c812f09eeefbbaef013f3139a5b6e3665af276a283c5ef73031861b49d01136b55
-
SSDEEP
3072:Ahd295oBFr9DnO/nk4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvM:AaLonr9jgVqwlL
Malware Config
Extracted
xworm
5.0
p-never.gl.at.ply.gg:57388
EKx5toUcZoEkFlZt
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2256-1-0x00000000002C0000-0x00000000002EC000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm behavioral1/memory/2492-37-0x00000000010A0000-0x00000000010CC000-memory.dmp family_xworm behavioral1/memory/3048-46-0x0000000001120000-0x000000000114C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2744 powershell.exe 2580 powershell.exe 2392 powershell.exe 2096 powershell.exe -
Drops startup file 2 IoCs
Processes:
lunarium.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk lunarium.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk lunarium.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2492 svchost.exe 3048 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
lunarium.exepid process 2256 lunarium.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lunarium.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" lunarium.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2096 powershell.exe 2744 powershell.exe 2580 powershell.exe 2392 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
lunarium.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exeAUDIODG.EXEsvchost.exedescription pid process Token: SeDebugPrivilege 2256 lunarium.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2256 lunarium.exe Token: SeDebugPrivilege 2492 svchost.exe Token: 33 240 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 240 AUDIODG.EXE Token: 33 240 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 240 AUDIODG.EXE Token: SeDebugPrivilege 3048 svchost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
lunarium.exetaskeng.exedescription pid process target process PID 2256 wrote to memory of 2096 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2096 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2096 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2744 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2744 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2744 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2580 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2580 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2580 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2392 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2392 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2392 2256 lunarium.exe powershell.exe PID 2256 wrote to memory of 2820 2256 lunarium.exe schtasks.exe PID 2256 wrote to memory of 2820 2256 lunarium.exe schtasks.exe PID 2256 wrote to memory of 2820 2256 lunarium.exe schtasks.exe PID 3020 wrote to memory of 2492 3020 taskeng.exe svchost.exe PID 3020 wrote to memory of 2492 3020 taskeng.exe svchost.exe PID 3020 wrote to memory of 2492 3020 taskeng.exe svchost.exe PID 3020 wrote to memory of 3048 3020 taskeng.exe svchost.exe PID 3020 wrote to memory of 3048 3020 taskeng.exe svchost.exe PID 3020 wrote to memory of 3048 3020 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\lunarium.exe"C:\Users\Admin\AppData\Local\Temp\lunarium.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\lunarium.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'lunarium.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {641AA99F-2CE0-4AF3-B2BC-925207929ACB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xd41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59072df269caf634fdcc1c8dba9a82d78
SHA1b71aafe4c9ba41e2f401842badb11b8ff6637afa
SHA2569912a4fca64e4ca3a10926b17ce8df51d1df499ef476958ba87e3368b4a14be1
SHA512cc90d7abbd087fcd64c046b8f3e7f3860270fc60029b98f3c1e5df3ed2a8aecc86e4a96792cd38d82134cea7d75fed6739b8429a8f9058b07abf577ab5acfd0f
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
150KB
MD5d5c26e12be6264033efd9e5e0662a953
SHA1e4570cecc53e5e916c06e38c62221f27af7a1225
SHA25628c951715ea1f1e20db6e2694c8b9676837190d4ff1c49c6c9f7cb41b899a91b
SHA512adbb48ebda59c9b804ddaf4561a0679436987d6deef883d632f0eeb30adbc9c812f09eeefbbaef013f3139a5b6e3665af276a283c5ef73031861b49d01136b55
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\tmp3958.tmpFilesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
memory/2096-8-0x0000000001F50000-0x0000000001F58000-memory.dmpFilesize
32KB
-
memory/2096-7-0x000000001B2E0000-0x000000001B5C2000-memory.dmpFilesize
2.9MB
-
memory/2096-6-0x0000000002860000-0x00000000028E0000-memory.dmpFilesize
512KB
-
memory/2256-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmpFilesize
4KB
-
memory/2256-32-0x000000001B240000-0x000000001B2C0000-memory.dmpFilesize
512KB
-
memory/2256-38-0x0000000002200000-0x000000000220C000-memory.dmpFilesize
48KB
-
memory/2256-39-0x000000001AD90000-0x000000001ADCA000-memory.dmpFilesize
232KB
-
memory/2256-1-0x00000000002C0000-0x00000000002EC000-memory.dmpFilesize
176KB
-
memory/2256-44-0x000000001BFB0000-0x000000001C03E000-memory.dmpFilesize
568KB
-
memory/2492-37-0x00000000010A0000-0x00000000010CC000-memory.dmpFilesize
176KB
-
memory/2744-14-0x000000001B2C0000-0x000000001B5A2000-memory.dmpFilesize
2.9MB
-
memory/2744-15-0x0000000002690000-0x0000000002698000-memory.dmpFilesize
32KB
-
memory/3048-46-0x0000000001120000-0x000000000114C000-memory.dmpFilesize
176KB