Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 19:05
Behavioral task
behavioral1
Sample
Mode.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Mode.exe
Resource
win10v2004-20240508-en
General
-
Target
Mode.exe
-
Size
45KB
-
MD5
692bb1be0c680ec225c34bd446ead322
-
SHA1
813345d33a051c297f342ae668e7a32b3e40837b
-
SHA256
3242b26e5d8ebbe6993b03288ae30e5dfc7f0d93f06d8b4a225c184f24bd3034
-
SHA512
2818761e76ad5f7aaf933a857d96d7080ea91653624d923b965c07e224b629b453f5f93c64880a4c9b1f2d55cfff97254c843160c97c169e7437912b80cd04ec
-
SSDEEP
768:CurlDweV3OOVbADM9W1v9NfgkBpuAuREcNclYlVvD4xeVhKfkeLbFEPa9pvp16i4:CADweQKADMkV9GkSAcRaelZrO1/FJ9Nw
Malware Config
Extracted
xworm
5.0
5.tcp.eu.ngrok.io:17399
RxBZSfahWZHZu4kD
-
Install_directory
%AppData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-1-0x0000000001000000-0x0000000001012000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svhost.exe family_xworm behavioral1/memory/1316-36-0x0000000001350000-0x0000000001362000-memory.dmp family_xworm behavioral1/memory/700-39-0x0000000000110000-0x0000000000122000-memory.dmp family_xworm behavioral1/memory/1328-41-0x00000000011F0000-0x0000000001202000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2976 powershell.exe 2864 powershell.exe 2552 powershell.exe 2264 powershell.exe -
Drops startup file 2 IoCs
Processes:
Mode.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk Mode.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk Mode.exe -
Executes dropped EXE 3 IoCs
Processes:
svhost.exesvhost.exesvhost.exepid process 1316 svhost.exe 700 svhost.exe 1328 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Mode.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" Mode.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 6 5.tcp.eu.ngrok.io 9 5.tcp.eu.ngrok.io 11 5.tcp.eu.ngrok.io 19 5.tcp.eu.ngrok.io -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeMode.exepid process 2976 powershell.exe 2864 powershell.exe 2552 powershell.exe 2264 powershell.exe 2208 Mode.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Mode.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exedescription pid process Token: SeDebugPrivilege 2208 Mode.exe Token: SeDebugPrivilege 2976 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2208 Mode.exe Token: SeDebugPrivilege 1316 svhost.exe Token: SeDebugPrivilege 700 svhost.exe Token: SeDebugPrivilege 1328 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Mode.exepid process 2208 Mode.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Mode.exetaskeng.exedescription pid process target process PID 2208 wrote to memory of 2976 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2976 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2976 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2864 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2864 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2864 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2552 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2552 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2552 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2264 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2264 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2264 2208 Mode.exe powershell.exe PID 2208 wrote to memory of 2728 2208 Mode.exe schtasks.exe PID 2208 wrote to memory of 2728 2208 Mode.exe schtasks.exe PID 2208 wrote to memory of 2728 2208 Mode.exe schtasks.exe PID 2744 wrote to memory of 1316 2744 taskeng.exe svhost.exe PID 2744 wrote to memory of 1316 2744 taskeng.exe svhost.exe PID 2744 wrote to memory of 1316 2744 taskeng.exe svhost.exe PID 2744 wrote to memory of 700 2744 taskeng.exe svhost.exe PID 2744 wrote to memory of 700 2744 taskeng.exe svhost.exe PID 2744 wrote to memory of 700 2744 taskeng.exe svhost.exe PID 2744 wrote to memory of 1328 2744 taskeng.exe svhost.exe PID 2744 wrote to memory of 1328 2744 taskeng.exe svhost.exe PID 2744 wrote to memory of 1328 2744 taskeng.exe svhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mode.exe"C:\Users\Admin\AppData\Local\Temp\Mode.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Mode.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Mode.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"2⤵
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\taskeng.exetaskeng.exe {9FF045FB-A57B-42BF-A970-24A803A313D5} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD553685b517a73eecc64ce5594042ef45f
SHA1fdea0fa312342482ba35f23838304904c109d0b4
SHA256215d04ca7a97bdfbeeccff9ca26af65fc04420240d5119982138c2d3a8b46cfd
SHA51218d31c76784de04adfd7f9ff3cc9caca34ffe1191e076473d995a3a3bb999d74b481f59302096fddff8c096600139bdc6838881908dda16236c7ff949af9d6f9
-
C:\Users\Admin\AppData\Roaming\svhost.exeFilesize
45KB
MD5692bb1be0c680ec225c34bd446ead322
SHA1813345d33a051c297f342ae668e7a32b3e40837b
SHA2563242b26e5d8ebbe6993b03288ae30e5dfc7f0d93f06d8b4a225c184f24bd3034
SHA5122818761e76ad5f7aaf933a857d96d7080ea91653624d923b965c07e224b629b453f5f93c64880a4c9b1f2d55cfff97254c843160c97c169e7437912b80cd04ec
-
memory/700-39-0x0000000000110000-0x0000000000122000-memory.dmpFilesize
72KB
-
memory/1316-36-0x0000000001350000-0x0000000001362000-memory.dmpFilesize
72KB
-
memory/1328-41-0x00000000011F0000-0x0000000001202000-memory.dmpFilesize
72KB
-
memory/2208-31-0x000007FEF6063000-0x000007FEF6064000-memory.dmpFilesize
4KB
-
memory/2208-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmpFilesize
4KB
-
memory/2208-32-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmpFilesize
9.9MB
-
memory/2208-2-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmpFilesize
9.9MB
-
memory/2208-1-0x0000000001000000-0x0000000001012000-memory.dmpFilesize
72KB
-
memory/2864-15-0x000000001B610000-0x000000001B8F2000-memory.dmpFilesize
2.9MB
-
memory/2864-16-0x00000000027F0000-0x00000000027F8000-memory.dmpFilesize
32KB
-
memory/2976-9-0x0000000002220000-0x0000000002228000-memory.dmpFilesize
32KB
-
memory/2976-8-0x000000001B7A0000-0x000000001BA82000-memory.dmpFilesize
2.9MB
-
memory/2976-7-0x0000000002F30000-0x0000000002FB0000-memory.dmpFilesize
512KB