Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 08:24
Behavioral task
behavioral1
Sample
читы.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
читы.exe
Resource
win10v2004-20240426-en
General
-
Target
читы.exe
-
Size
105KB
-
MD5
7c4229f56dd1abf353b7615e099cb3a8
-
SHA1
f1a2545b0d9b1f686d456c60fcd87c3c4ee93d08
-
SHA256
2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad
-
SHA512
e961a5a7b44fdfc0cbdedbb48320afa5097c8ff5f7d1880069e4120ee0bfe2d0642d3b7b7977c815c6f96b9c0f66028f26a2a0bfcdef5cca363269dff780af41
-
SSDEEP
3072:ydqfxEp09Xt1m+b1pNkLP+uOoo9wmfAn1W0cgte8:ydq5F9HbvNkK4oPAng0ct
Malware Config
Extracted
xworm
advertise-located.gl.at.ply.gg:54921
19.ip.gl.ply.gg:54921
XWorm V5.2:123
-
Install_directory
%AppData%
-
install_file
Delta.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1420-1-0x0000000000150000-0x0000000000170000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Delta.exe family_xworm behavioral1/memory/2648-36-0x0000000001350000-0x0000000001370000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2596 powershell.exe 2696 powershell.exe 2616 powershell.exe 2152 powershell.exe -
Drops startup file 2 IoCs
Processes:
читы.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk читы.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk читы.exe -
Executes dropped EXE 1 IoCs
Processes:
Delta.exepid process 2648 Delta.exe -
Loads dropped DLL 1 IoCs
Processes:
читы.exepid process 1420 читы.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
читы.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" читы.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 888 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeчиты.exepid process 2152 powershell.exe 2596 powershell.exe 2696 powershell.exe 2616 powershell.exe 1420 читы.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
читы.exepowershell.exepowershell.exepowershell.exepowershell.exeDelta.exedescription pid process Token: SeDebugPrivilege 1420 читы.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 1420 читы.exe Token: SeDebugPrivilege 2648 Delta.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
читы.exepid process 1420 читы.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
читы.exetaskeng.execmd.exedescription pid process target process PID 1420 wrote to memory of 2152 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2152 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2152 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2596 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2596 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2596 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2696 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2696 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2696 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2616 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2616 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2616 1420 читы.exe powershell.exe PID 1420 wrote to memory of 2496 1420 читы.exe schtasks.exe PID 1420 wrote to memory of 2496 1420 читы.exe schtasks.exe PID 1420 wrote to memory of 2496 1420 читы.exe schtasks.exe PID 1676 wrote to memory of 2648 1676 taskeng.exe Delta.exe PID 1676 wrote to memory of 2648 1676 taskeng.exe Delta.exe PID 1676 wrote to memory of 2648 1676 taskeng.exe Delta.exe PID 1420 wrote to memory of 2540 1420 читы.exe schtasks.exe PID 1420 wrote to memory of 2540 1420 читы.exe schtasks.exe PID 1420 wrote to memory of 2540 1420 читы.exe schtasks.exe PID 1420 wrote to memory of 2428 1420 читы.exe cmd.exe PID 1420 wrote to memory of 2428 1420 читы.exe cmd.exe PID 1420 wrote to memory of 2428 1420 читы.exe cmd.exe PID 2428 wrote to memory of 888 2428 cmd.exe timeout.exe PID 2428 wrote to memory of 888 2428 cmd.exe timeout.exe PID 2428 wrote to memory of 888 2428 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\читы.exe"C:\Users\Admin\AppData\Local\Temp\читы.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"2⤵
- Creates scheduled task(s)
PID:2496
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"2⤵PID:2540
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF0F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:888
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {48A36120-097B-46CE-B320-7AF9E6FB79C1} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD55a349fcd48aefcb6ac1e75c8fd30cba3
SHA1038e0fd1fb87debee850437bc1d96fcd191e3358
SHA256e32c70029c535847652be5244e0810a9ed4bd8cc31a24721cdf41a578aa6af3a
SHA51283a58718fb58c4bdf316848c101c9c6427451ba454f9a1c05a16b671090d158bd2c6b21654fe52e9d9254b145d57c5c71e9f44e4982b5dc3c42e56f5f9247a71
-
Filesize
105KB
MD57c4229f56dd1abf353b7615e099cb3a8
SHA1f1a2545b0d9b1f686d456c60fcd87c3c4ee93d08
SHA2562d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad
SHA512e961a5a7b44fdfc0cbdedbb48320afa5097c8ff5f7d1880069e4120ee0bfe2d0642d3b7b7977c815c6f96b9c0f66028f26a2a0bfcdef5cca363269dff780af41
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD577015caf82de1c9af57a73ac222b6880
SHA1a49de358f0d43c087af7c1b1d14008cf1e7d65cc
SHA25637b11cdcbe746a059d6e85837cafb4c9d3c748104841d778daf85a7c51e54d55
SHA512e23bdeafa3cc3bdaba1fab3ceabdff74a8fca647ac4226f5d892636d4dea56d1877dfb4c75b4a418b7f6540dad23488c87efa060a903e953d67d7d7d406f941a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43