Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
Resource
win7-20240221-en
General
-
Target
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe
-
Size
724KB
-
MD5
6e1e63e97c09758e3db18ea31bd95284
-
SHA1
6f4a188d43122d22a14459123764a094ed56b37c
-
SHA256
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1
-
SHA512
0708ebbc263c5f16fddb0e1e76abf30b3ff5842207f450e0892e0879f828ecf165a203f156f460ed3cb97dd85691c0f3dc2233160b98e7daf34057872c70ba23
-
SSDEEP
12288:7DeaBr2968/mPSxX7UydfxMApCPuiRMfOzzH3t2zrNkjovC7Qe1RwUdaZkgsZyL:3Pp8/2Sx/xMA8miRSO3H3t8aDaXs8
Malware Config
Extracted
xworm
5.0
45.141.27.41:7000
9ZF9ZsOZGh1T1r1n
-
Install_directory
%Public%
-
install_file
csrss.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\XClient.exe family_xworm behavioral1/memory/2640-12-0x0000000000ED0000-0x0000000000EE0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2348 powershell.exe 2940 powershell.exe 944 powershell.exe 240 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk XClient.exe -
Executes dropped EXE 2 IoCs
Processes:
example.exeXClient.exepid process 3024 example.exe 2640 XClient.exe -
Loads dropped DLL 1 IoCs
Processes:
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exepid process 1284 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
example.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 3024 example.exe 3024 example.exe 3024 example.exe 3024 example.exe 3024 example.exe 240 powershell.exe 2348 powershell.exe 2940 powershell.exe 944 powershell.exe 2640 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2640 XClient.exe Token: SeDebugPrivilege 240 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 2640 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2640 XClient.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exeexample.execmd.exeXClient.exedescription pid process target process PID 1284 wrote to memory of 3024 1284 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe example.exe PID 1284 wrote to memory of 3024 1284 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe example.exe PID 1284 wrote to memory of 3024 1284 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe example.exe PID 1284 wrote to memory of 2640 1284 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe XClient.exe PID 1284 wrote to memory of 2640 1284 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe XClient.exe PID 1284 wrote to memory of 2640 1284 2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe XClient.exe PID 3024 wrote to memory of 2676 3024 example.exe cmd.exe PID 3024 wrote to memory of 2676 3024 example.exe cmd.exe PID 3024 wrote to memory of 2676 3024 example.exe cmd.exe PID 2676 wrote to memory of 2556 2676 cmd.exe certutil.exe PID 2676 wrote to memory of 2556 2676 cmd.exe certutil.exe PID 2676 wrote to memory of 2556 2676 cmd.exe certutil.exe PID 2676 wrote to memory of 2432 2676 cmd.exe find.exe PID 2676 wrote to memory of 2432 2676 cmd.exe find.exe PID 2676 wrote to memory of 2432 2676 cmd.exe find.exe PID 2676 wrote to memory of 3008 2676 cmd.exe find.exe PID 2676 wrote to memory of 3008 2676 cmd.exe find.exe PID 2676 wrote to memory of 3008 2676 cmd.exe find.exe PID 2640 wrote to memory of 240 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 240 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 240 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 2348 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 2348 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 2348 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 2940 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 2940 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 2940 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 944 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 944 2640 XClient.exe powershell.exe PID 2640 wrote to memory of 944 2640 XClient.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe"C:\Users\Admin\AppData\Local\Temp\2721b3feda88f242a54f83dfcd50d6356ae11a4374a816790cc90c00eb990ba1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\example.exe"C:\Users\Admin\example.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\example.exe" MD5 | find /i /v "md5" | find /i /v "certutil"3⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\example.exe" MD54⤵PID:2556
-
C:\Windows\system32\find.exefind /i /v "md5"4⤵PID:2432
-
C:\Windows\system32\find.exefind /i /v "certutil"4⤵PID:3008
-
C:\Users\Admin\XClient.exe"C:\Users\Admin\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD56da5b60c71c8fdaad2a57de6f8fd9812
SHA188836228ae15972d606c1c823f2910030e6cad8d
SHA2560c02859429e0a88f99cf8adddcd1b847e0deb3a9df0f6155281833750395b4ba
SHA512d9ade8096a909741133d31ee84dbba6c863d38a7075949b2a399013cf07afda37f7cb9e34274800ed742676aea8cf13eaeba9d9bb155a9174bd446d254b09d2c
-
C:\Users\Admin\XClient.exeFilesize
40KB
MD57ea387ab126b2ecf3365d448a318a433
SHA171b6e05898b68ed72ca95266d6293b225c40b612
SHA256573f3d316ed68ea2d4762a657dcc62416b763a8fcd1f99017f02d3ef5c215015
SHA51268830f84bf9f0a9e75a999907f7e7d816f89aa745e92078f56f303edadb236e14957e0594290f297fd4c0175ae72be02542cabe974a404fe961b7ab4bf945825
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\example.exeFilesize
673KB
MD556a9b5d3e447355a8d29a2d02a00b70c
SHA1af802aab037d6ae208b040e4e0b629665f208394
SHA2568d33c98d8aa62cbcc5d9096aa93fe073f0ee012af6cea9f19daad0d8e08d0ff1
SHA512c9d4de01e7c472d48ecee70777cac1f3ab3959fdb863c27096898b339e5f53e319489080ca08d3b18659ab396a16a18638fbebe06e58546ddeb2b5b5ca593081
-
memory/240-19-0x000000001B390000-0x000000001B672000-memory.dmpFilesize
2.9MB
-
memory/240-20-0x0000000002420000-0x0000000002428000-memory.dmpFilesize
32KB
-
memory/1284-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmpFilesize
4KB
-
memory/1284-1-0x0000000000C10000-0x0000000000CCC000-memory.dmpFilesize
752KB
-
memory/2348-26-0x000000001B290000-0x000000001B572000-memory.dmpFilesize
2.9MB
-
memory/2348-27-0x0000000002040000-0x0000000002048000-memory.dmpFilesize
32KB
-
memory/2640-14-0x000007FEF5780000-0x000007FEF616C000-memory.dmpFilesize
9.9MB
-
memory/2640-12-0x0000000000ED0000-0x0000000000EE0000-memory.dmpFilesize
64KB
-
memory/2640-44-0x000007FEF5780000-0x000007FEF616C000-memory.dmpFilesize
9.9MB