Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 15:38
Behavioral task
behavioral1
Sample
siski.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
siski.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
siski.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
siski.exe
Resource
win11-20240426-en
General
-
Target
siski.exe
-
Size
88KB
-
MD5
a39a9dbad030467f590832a6ab2ff349
-
SHA1
23b9baed2339451a3dc0d710024e4f010fc89be8
-
SHA256
db17812e10401ae3cdc44e07272758c155e215ccc2d4859833d7a26e38706d92
-
SHA512
1ea795f981ecf0abb66c2fc2e1704e5292e319d8ff8d24a7e52b05b03125dc24d46f3b80a5f89acedd7361f0adfc7150a3707f9d41a2b4202e7cd014d359232c
-
SSDEEP
1536:f62bFTb1Y/aBjS2jklqQZyoJPbUu6Ejbg/YVk36H2VLOO/V2G/cR:t5TyCZjks0ymbttnrVkxLOO2McR
Malware Config
Extracted
xworm
character-estimate.gl.at.ply.gg:61192
-
Install_directory
%ProgramData%
-
install_file
Chrome.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2188-1-0x00000000000B0000-0x00000000000CC000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2520 powershell.exe 2276 powershell.exe 2792 powershell.exe 2552 powershell.exe -
Drops startup file 2 IoCs
Processes:
siski.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk siski.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk siski.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
siski.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" siski.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exesiski.exepid process 2792 powershell.exe 2552 powershell.exe 2520 powershell.exe 2276 powershell.exe 2188 siski.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
siski.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2188 siski.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2188 siski.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
siski.exepid process 2188 siski.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
siski.exedescription pid process target process PID 2188 wrote to memory of 2792 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2792 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2792 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2552 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2552 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2552 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2520 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2520 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2520 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2276 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2276 2188 siski.exe powershell.exe PID 2188 wrote to memory of 2276 2188 siski.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\siski.exe"C:\Users\Admin\AppData\Local\Temp\siski.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\siski.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'siski.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5eb6c3b836cc2b9a2c52c34e1b67e489a
SHA18f52062856c9899d8fb4a9ef79431ad86445f679
SHA256f1319cb46b55522f34813a3fafc3da69821961a2e89faf4fd199cf0d7383d3ce
SHA51240fdbaf6e0c5c0cd82af4bf90398e59ec637921a27f0777191a3c128a61dd3d5fadab7f61b2902e597736f3b7d12f669ab5f85701982ea02b321a28d0826b23e