Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 19:00
Static task
static1
Behavioral task
behavioral1
Sample
OverwolfXclient.exe
Resource
win7-20240215-en
General
-
Target
OverwolfXclient.exe
-
Size
1.2MB
-
MD5
c08106fd9c5999388d5e541743d45d5b
-
SHA1
571f4333cd757db2870e2459724b545e43ffcc11
-
SHA256
8d4e23ba1ce9eab2340bad5e14111dc565bbe8de53653375ac3806f448dcc0ac
-
SHA512
65c2e544e88b63e8d1216731be75f0407784d620af1b2dfa649eb87e9e6408ffa43a3697a94c8d4cf6cc9f8dfc83a0a824397ac75bbdde9fe3440802117e8261
-
SSDEEP
24576:908rin0gKu22AcpyGCcCBSrikukOqk344WIGu31rg:908rin0gKu22AcpyGC9kTOK4WIGWg
Malware Config
Extracted
xworm
5.0
127.0.0.1:7777
45.145.41.147:7777
5N4ZirqATbPp1e8c
-
Install_directory
%ProgramData%
-
install_file
WinBackup.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2972-9-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm behavioral1/memory/2972-7-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm behavioral1/memory/2972-6-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm behavioral1/memory/2972-13-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm behavioral1/memory/2972-11-0x0000000000400000-0x0000000000412000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2700 powershell.exe 2948 powershell.exe 2464 powershell.exe 2860 powershell.exe -
Drops startup file 3 IoCs
Processes:
MSBuild.exeOverwolfXclient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBackup.lnk MSBuild.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk OverwolfXclient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBackup.lnk MSBuild.exe -
Executes dropped EXE 2 IoCs
Processes:
WinBackup.exeWinBackup.exepid process 2208 WinBackup.exe 1280 WinBackup.exe -
Loads dropped DLL 1 IoCs
Processes:
MSBuild.exepid process 2972 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinBackup = "C:\\ProgramData\\WinBackup.exe" MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OverwolfXclient.exedescription pid process target process PID 1728 set thread context of 2972 1728 OverwolfXclient.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeMSBuild.exepid process 2700 powershell.exe 2948 powershell.exe 2464 powershell.exe 2860 powershell.exe 2972 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MSBuild.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2972 MSBuild.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2972 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 2972 MSBuild.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
OverwolfXclient.exeMSBuild.exetaskeng.exedescription pid process target process PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 1728 wrote to memory of 2972 1728 OverwolfXclient.exe MSBuild.exe PID 2972 wrote to memory of 2700 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2700 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2700 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2700 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2948 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2948 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2948 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2948 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2464 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2464 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2464 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2464 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2860 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2860 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2860 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2860 2972 MSBuild.exe powershell.exe PID 2972 wrote to memory of 2272 2972 MSBuild.exe schtasks.exe PID 2972 wrote to memory of 2272 2972 MSBuild.exe schtasks.exe PID 2972 wrote to memory of 2272 2972 MSBuild.exe schtasks.exe PID 2972 wrote to memory of 2272 2972 MSBuild.exe schtasks.exe PID 1236 wrote to memory of 2208 1236 taskeng.exe WinBackup.exe PID 1236 wrote to memory of 2208 1236 taskeng.exe WinBackup.exe PID 1236 wrote to memory of 2208 1236 taskeng.exe WinBackup.exe PID 1236 wrote to memory of 2208 1236 taskeng.exe WinBackup.exe PID 1236 wrote to memory of 1280 1236 taskeng.exe WinBackup.exe PID 1236 wrote to memory of 1280 1236 taskeng.exe WinBackup.exe PID 1236 wrote to memory of 1280 1236 taskeng.exe WinBackup.exe PID 1236 wrote to memory of 1280 1236 taskeng.exe WinBackup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OverwolfXclient.exe"C:\Users\Admin\AppData\Local\Temp\OverwolfXclient.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinBackup.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinBackup.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinBackup" /tr "C:\ProgramData\WinBackup.exe"3⤵
- Creates scheduled task(s)
PID:2272
-
C:\Windows\system32\taskeng.exetaskeng.exe {FA9D67B9-79C1-4583-B659-182EB674FF5C} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\ProgramData\WinBackup.exeC:\ProgramData\WinBackup.exe2⤵
- Executes dropped EXE
PID:2208 -
C:\ProgramData\WinBackup.exeC:\ProgramData\WinBackup.exe2⤵
- Executes dropped EXE
PID:1280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5760d628fc33b0a00eb974d997aa3140a
SHA1d674de77e743b08946fbd69c98a24a8f2b2b5219
SHA2568f43184ed5e132d460d58c5021489b27ced490d5c975fb047315ad6cee96fb08
SHA512bb901272c6bac95c9eb027fbcc9dfa9627636ee2f51cae23e8bf5e8c04fc85a8dcb2284af6e96c29bf7e869c360df4fec6a98e15c91ad556ba35a590063e1cb3
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\ProgramData\WinBackup.exeFilesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
memory/1280-47-0x00000000000E0000-0x0000000000120000-memory.dmpFilesize
256KB
-
memory/1728-1-0x0000000000D40000-0x0000000000E7A000-memory.dmpFilesize
1.2MB
-
memory/1728-3-0x00000000052F0000-0x00000000053A6000-memory.dmpFilesize
728KB
-
memory/1728-0-0x000000007483E000-0x000000007483F000-memory.dmpFilesize
4KB
-
memory/2208-44-0x00000000010D0000-0x0000000001110000-memory.dmpFilesize
256KB
-
memory/2972-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-13-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-14-0x0000000074830000-0x0000000074F1E000-memory.dmpFilesize
6.9MB
-
memory/2972-15-0x0000000074830000-0x0000000074F1E000-memory.dmpFilesize
6.9MB
-
memory/2972-6-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-7-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2972-40-0x0000000074830000-0x0000000074F1E000-memory.dmpFilesize
6.9MB
-
memory/2972-41-0x0000000074830000-0x0000000074F1E000-memory.dmpFilesize
6.9MB
-
memory/2972-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2972-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB