Analysis
-
max time kernel
112s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 15:36
Behavioral task
behavioral1
Sample
Expensive 3.1.exe
Resource
win11-20240426-en
Errors
General
-
Target
Expensive 3.1.exe
-
Size
60KB
-
MD5
a66624abb377e5ff52d4d2ae2707aca2
-
SHA1
a8bcdcaa2536996637e19827d2753e55bba45a28
-
SHA256
eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8
-
SHA512
ec24aad17f3febb434f6c2f8c371ff0bba486abe9e7768c55f8ca766bb0363791b8a991945795277170a57a64f431a1c5f70a7d4acc4b7d878e9e983aafe26d1
-
SSDEEP
1536:4ptathcJHAxzcA0VzP5k3O+bB3JcSnGSq67Oy7m/:YoPcJVK++b9JcqOyM
Malware Config
Extracted
xworm
loss-winners.gl.at.ply.gg:61007
-
Install_directory
%AppData%
-
install_file
Expensive 3.1.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5048-1-0x0000000000EC0000-0x0000000000ED6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5060 powershell.exe 2052 powershell.exe 4736 powershell.exe 1140 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Expensive 3.1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" Expensive 3.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeExpensive 3.1.exepid process 1140 powershell.exe 1140 powershell.exe 5060 powershell.exe 5060 powershell.exe 2052 powershell.exe 2052 powershell.exe 4736 powershell.exe 4736 powershell.exe 5048 Expensive 3.1.exe 5048 Expensive 3.1.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Expensive 3.1.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5048 Expensive 3.1.exe Token: SeDebugPrivilege 1140 powershell.exe Token: SeDebugPrivilege 5060 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 5048 Expensive 3.1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MiniSearchHost.exeExpensive 3.1.exepid process 2352 MiniSearchHost.exe 5048 Expensive 3.1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Expensive 3.1.exedescription pid process target process PID 5048 wrote to memory of 1140 5048 Expensive 3.1.exe powershell.exe PID 5048 wrote to memory of 1140 5048 Expensive 3.1.exe powershell.exe PID 5048 wrote to memory of 5060 5048 Expensive 3.1.exe powershell.exe PID 5048 wrote to memory of 5060 5048 Expensive 3.1.exe powershell.exe PID 5048 wrote to memory of 2052 5048 Expensive 3.1.exe powershell.exe PID 5048 wrote to memory of 2052 5048 Expensive 3.1.exe powershell.exe PID 5048 wrote to memory of 4736 5048 Expensive 3.1.exe powershell.exe PID 5048 wrote to memory of 4736 5048 Expensive 3.1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2352
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:4176
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1900
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3684
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:812
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
Filesize
944B
MD5ca018da6474d5ee45c05ce24f20318d8
SHA1034c4116e4d397972fe94e181e9bf8bec1ac5a29
SHA256967584c98855ce11eaa685e1a125482181bce5de4e634ebcfe20f1e287bda0d7
SHA51208197218e9c43aab167c0f9622113ddcdf1c250777191b8ff54fecb814fae7d7a7f08c041e9b27a9969ee82bcb9ac595ef3ab9058d991835770d36b13cf1a0c7
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD52f23663111658be2ba0b273463ff5e60
SHA1c2af77369b83a0177bfdb90c11fad4c5f897a983
SHA256eab4709a1ad32b0b87a53d307893899eb3ee26c6a59a1b34fe83062c79817513
SHA512e0fdfe555a47709cbf14c4c22498c89c3e8fd61c5b40806b9dd06aee20fbdcd3d9c4f7861d1183df15e9c64ed25828f97c8292bc6b4a700d3d4586433bf45bd8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82