Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 08:24

General

  • Target

    читы.exe

  • Size

    105KB

  • MD5

    7c4229f56dd1abf353b7615e099cb3a8

  • SHA1

    f1a2545b0d9b1f686d456c60fcd87c3c4ee93d08

  • SHA256

    2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad

  • SHA512

    e961a5a7b44fdfc0cbdedbb48320afa5097c8ff5f7d1880069e4120ee0bfe2d0642d3b7b7977c815c6f96b9c0f66028f26a2a0bfcdef5cca363269dff780af41

  • SSDEEP

    3072:ydqfxEp09Xt1m+b1pNkLP+uOoo9wmfAn1W0cgte8:ydq5F9HbvNkK4oPAng0ct

Malware Config

Extracted

Family

xworm

C2

advertise-located.gl.at.ply.gg:54921

19.ip.gl.ply.gg:54921

XWorm V5.2:123

Attributes
  • Install_directory

    %AppData%

  • install_file

    Delta.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\читы.exe
    "C:\Users\Admin\AppData\Local\Temp\читы.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2496
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"
      2⤵
        PID:2540
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF0F.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:888
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {48A36120-097B-46CE-B320-7AF9E6FB79C1} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Users\Admin\AppData\Roaming\Delta.exe
        C:\Users\Admin\AppData\Roaming\Delta.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpF0F.tmp.bat

      Filesize

      159B

      MD5

      5a349fcd48aefcb6ac1e75c8fd30cba3

      SHA1

      038e0fd1fb87debee850437bc1d96fcd191e3358

      SHA256

      e32c70029c535847652be5244e0810a9ed4bd8cc31a24721cdf41a578aa6af3a

      SHA512

      83a58718fb58c4bdf316848c101c9c6427451ba454f9a1c05a16b671090d158bd2c6b21654fe52e9d9254b145d57c5c71e9f44e4982b5dc3c42e56f5f9247a71

    • C:\Users\Admin\AppData\Roaming\Delta.exe

      Filesize

      105KB

      MD5

      7c4229f56dd1abf353b7615e099cb3a8

      SHA1

      f1a2545b0d9b1f686d456c60fcd87c3c4ee93d08

      SHA256

      2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad

      SHA512

      e961a5a7b44fdfc0cbdedbb48320afa5097c8ff5f7d1880069e4120ee0bfe2d0642d3b7b7977c815c6f96b9c0f66028f26a2a0bfcdef5cca363269dff780af41

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      77015caf82de1c9af57a73ac222b6880

      SHA1

      a49de358f0d43c087af7c1b1d14008cf1e7d65cc

      SHA256

      37b11cdcbe746a059d6e85837cafb4c9d3c748104841d778daf85a7c51e54d55

      SHA512

      e23bdeafa3cc3bdaba1fab3ceabdff74a8fca647ac4226f5d892636d4dea56d1877dfb4c75b4a418b7f6540dad23488c87efa060a903e953d67d7d7d406f941a

    • \??\PIPE\srvsvc

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • \Users\Admin\AppData\Local\Temp\tmpE39B.tmp

      Filesize

      100KB

      MD5

      1b942faa8e8b1008a8c3c1004ba57349

      SHA1

      cd99977f6c1819b12b33240b784ca816dfe2cb91

      SHA256

      555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

      SHA512

      5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

    • memory/1420-1-0x0000000000150000-0x0000000000170000-memory.dmp

      Filesize

      128KB

    • memory/1420-0-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

      Filesize

      4KB

    • memory/1420-38-0x0000000001EC0000-0x0000000001EFA000-memory.dmp

      Filesize

      232KB

    • memory/1420-37-0x000000001A730000-0x000000001A7B0000-memory.dmp

      Filesize

      512KB

    • memory/1420-31-0x000000001A730000-0x000000001A7B0000-memory.dmp

      Filesize

      512KB

    • memory/1420-32-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

      Filesize

      4KB

    • memory/2152-8-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

      Filesize

      32KB

    • memory/2152-7-0x000000001B670000-0x000000001B952000-memory.dmp

      Filesize

      2.9MB

    • memory/2152-6-0x0000000002D80000-0x0000000002E00000-memory.dmp

      Filesize

      512KB

    • memory/2596-15-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

      Filesize

      32KB

    • memory/2596-14-0x000000001B5A0000-0x000000001B882000-memory.dmp

      Filesize

      2.9MB

    • memory/2648-36-0x0000000001350000-0x0000000001370000-memory.dmp

      Filesize

      128KB