Analysis

  • max time kernel
    112s
  • max time network
    133s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-05-2024 15:36

Errors

Reason
Machine shutdown

General

  • Target

    Expensive 3.1.exe

  • Size

    60KB

  • MD5

    a66624abb377e5ff52d4d2ae2707aca2

  • SHA1

    a8bcdcaa2536996637e19827d2753e55bba45a28

  • SHA256

    eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8

  • SHA512

    ec24aad17f3febb434f6c2f8c371ff0bba486abe9e7768c55f8ca766bb0363791b8a991945795277170a57a64f431a1c5f70a7d4acc4b7d878e9e983aafe26d1

  • SSDEEP

    1536:4ptathcJHAxzcA0VzP5k3O+bB3JcSnGSq67Oy7m/:YoPcJVK++b9JcqOyM

Malware Config

Extracted

Family

xworm

C2

loss-winners.gl.at.ply.gg:61007

Attributes
  • Install_directory

    %AppData%

  • install_file

    Expensive 3.1.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4736
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2352
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:4176
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
        PID:1900
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
          PID:1336
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:3684
          • C:\Windows\system32\sihost.exe
            sihost.exe
            1⤵
              PID:812
            • C:\Windows\system32\sihost.exe
              sihost.exe
              1⤵
                PID:2344

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                Filesize

                2KB

                MD5

                627073ee3ca9676911bee35548eff2b8

                SHA1

                4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                SHA256

                85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                SHA512

                3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                e3840d9bcedfe7017e49ee5d05bd1c46

                SHA1

                272620fb2605bd196df471d62db4b2d280a363c6

                SHA256

                3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

                SHA512

                76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                21017c68eaf9461301de459f4f07e888

                SHA1

                41ff30fc8446508d4c3407c79e798cf6eaa5bb73

                SHA256

                03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

                SHA512

                956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                ca018da6474d5ee45c05ce24f20318d8

                SHA1

                034c4116e4d397972fe94e181e9bf8bec1ac5a29

                SHA256

                967584c98855ce11eaa685e1a125482181bce5de4e634ebcfe20f1e287bda0d7

                SHA512

                08197218e9c43aab167c0f9622113ddcdf1c250777191b8ff54fecb814fae7d7a7f08c041e9b27a9969ee82bcb9ac595ef3ab9058d991835770d36b13cf1a0c7

              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                Filesize

                10KB

                MD5

                2f23663111658be2ba0b273463ff5e60

                SHA1

                c2af77369b83a0177bfdb90c11fad4c5f897a983

                SHA256

                eab4709a1ad32b0b87a53d307893899eb3ee26c6a59a1b34fe83062c79817513

                SHA512

                e0fdfe555a47709cbf14c4c22498c89c3e8fd61c5b40806b9dd06aee20fbdcd3d9c4f7861d1183df15e9c64ed25828f97c8292bc6b4a700d3d4586433bf45bd8

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_csbskkvf.dxk.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • memory/1140-10-0x000001EFE0BD0000-0x000001EFE0BF2000-memory.dmp

                Filesize

                136KB

              • memory/5048-0-0x00007FFF466D3000-0x00007FFF466D5000-memory.dmp

                Filesize

                8KB

              • memory/5048-1-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

                Filesize

                88KB

              • memory/5048-52-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp

                Filesize

                10.8MB

              • memory/5048-53-0x00007FFF466D3000-0x00007FFF466D5000-memory.dmp

                Filesize

                8KB

              • memory/5048-54-0x00007FFF466D0000-0x00007FFF47192000-memory.dmp

                Filesize

                10.8MB

              • memory/5048-55-0x0000000002E80000-0x0000000002E8C000-memory.dmp

                Filesize

                48KB