Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-05-2024 15:38
Behavioral task
behavioral1
Sample
siski.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
siski.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
siski.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
siski.exe
Resource
win11-20240426-en
General
-
Target
siski.exe
-
Size
88KB
-
MD5
a39a9dbad030467f590832a6ab2ff349
-
SHA1
23b9baed2339451a3dc0d710024e4f010fc89be8
-
SHA256
db17812e10401ae3cdc44e07272758c155e215ccc2d4859833d7a26e38706d92
-
SHA512
1ea795f981ecf0abb66c2fc2e1704e5292e319d8ff8d24a7e52b05b03125dc24d46f3b80a5f89acedd7361f0adfc7150a3707f9d41a2b4202e7cd014d359232c
-
SSDEEP
1536:f62bFTb1Y/aBjS2jklqQZyoJPbUu6Ejbg/YVk36H2VLOO/V2G/cR:t5TyCZjks0ymbttnrVkxLOO2McR
Malware Config
Extracted
xworm
character-estimate.gl.at.ply.gg:61192
-
Install_directory
%ProgramData%
-
install_file
Chrome.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2272-1-0x0000000000060000-0x000000000007C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 196 powershell.exe 520 powershell.exe 1200 powershell.exe 4340 powershell.exe -
Drops startup file 2 IoCs
Processes:
siski.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk siski.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk siski.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
siski.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" siski.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exesiski.exepid process 196 powershell.exe 196 powershell.exe 196 powershell.exe 520 powershell.exe 520 powershell.exe 520 powershell.exe 1200 powershell.exe 1200 powershell.exe 1200 powershell.exe 4340 powershell.exe 4340 powershell.exe 4340 powershell.exe 2272 siski.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
siski.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2272 siski.exe Token: SeDebugPrivilege 196 powershell.exe Token: SeIncreaseQuotaPrivilege 196 powershell.exe Token: SeSecurityPrivilege 196 powershell.exe Token: SeTakeOwnershipPrivilege 196 powershell.exe Token: SeLoadDriverPrivilege 196 powershell.exe Token: SeSystemProfilePrivilege 196 powershell.exe Token: SeSystemtimePrivilege 196 powershell.exe Token: SeProfSingleProcessPrivilege 196 powershell.exe Token: SeIncBasePriorityPrivilege 196 powershell.exe Token: SeCreatePagefilePrivilege 196 powershell.exe Token: SeBackupPrivilege 196 powershell.exe Token: SeRestorePrivilege 196 powershell.exe Token: SeShutdownPrivilege 196 powershell.exe Token: SeDebugPrivilege 196 powershell.exe Token: SeSystemEnvironmentPrivilege 196 powershell.exe Token: SeRemoteShutdownPrivilege 196 powershell.exe Token: SeUndockPrivilege 196 powershell.exe Token: SeManageVolumePrivilege 196 powershell.exe Token: 33 196 powershell.exe Token: 34 196 powershell.exe Token: 35 196 powershell.exe Token: 36 196 powershell.exe Token: SeDebugPrivilege 520 powershell.exe Token: SeIncreaseQuotaPrivilege 520 powershell.exe Token: SeSecurityPrivilege 520 powershell.exe Token: SeTakeOwnershipPrivilege 520 powershell.exe Token: SeLoadDriverPrivilege 520 powershell.exe Token: SeSystemProfilePrivilege 520 powershell.exe Token: SeSystemtimePrivilege 520 powershell.exe Token: SeProfSingleProcessPrivilege 520 powershell.exe Token: SeIncBasePriorityPrivilege 520 powershell.exe Token: SeCreatePagefilePrivilege 520 powershell.exe Token: SeBackupPrivilege 520 powershell.exe Token: SeRestorePrivilege 520 powershell.exe Token: SeShutdownPrivilege 520 powershell.exe Token: SeDebugPrivilege 520 powershell.exe Token: SeSystemEnvironmentPrivilege 520 powershell.exe Token: SeRemoteShutdownPrivilege 520 powershell.exe Token: SeUndockPrivilege 520 powershell.exe Token: SeManageVolumePrivilege 520 powershell.exe Token: 33 520 powershell.exe Token: 34 520 powershell.exe Token: 35 520 powershell.exe Token: 36 520 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeIncreaseQuotaPrivilege 1200 powershell.exe Token: SeSecurityPrivilege 1200 powershell.exe Token: SeTakeOwnershipPrivilege 1200 powershell.exe Token: SeLoadDriverPrivilege 1200 powershell.exe Token: SeSystemProfilePrivilege 1200 powershell.exe Token: SeSystemtimePrivilege 1200 powershell.exe Token: SeProfSingleProcessPrivilege 1200 powershell.exe Token: SeIncBasePriorityPrivilege 1200 powershell.exe Token: SeCreatePagefilePrivilege 1200 powershell.exe Token: SeBackupPrivilege 1200 powershell.exe Token: SeRestorePrivilege 1200 powershell.exe Token: SeShutdownPrivilege 1200 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeSystemEnvironmentPrivilege 1200 powershell.exe Token: SeRemoteShutdownPrivilege 1200 powershell.exe Token: SeUndockPrivilege 1200 powershell.exe Token: SeManageVolumePrivilege 1200 powershell.exe Token: 33 1200 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
siski.exepid process 2272 siski.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
siski.exedescription pid process target process PID 2272 wrote to memory of 196 2272 siski.exe powershell.exe PID 2272 wrote to memory of 196 2272 siski.exe powershell.exe PID 2272 wrote to memory of 520 2272 siski.exe powershell.exe PID 2272 wrote to memory of 520 2272 siski.exe powershell.exe PID 2272 wrote to memory of 1200 2272 siski.exe powershell.exe PID 2272 wrote to memory of 1200 2272 siski.exe powershell.exe PID 2272 wrote to memory of 4340 2272 siski.exe powershell.exe PID 2272 wrote to memory of 4340 2272 siski.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\siski.exe"C:\Users\Admin\AppData\Local\Temp\siski.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\siski.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'siski.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5d2e234d4418da3e3998a0e50cbbe18f0
SHA164ad02d3cf61309b6dc5dbe1732e2d145177fb52
SHA256f5070bcbb12d49bdac970dc8dd76f5cd44de08d319a060e9de18d31c8a43c9fd
SHA512738770fc023e3ed01b1223537cb0bf4cc07ad7fead7415b610cccb36cce7dffb66a1ceb1c1ec02b26402a994677ecfb80b90c542c8c6b8f5a5655735bf562e5a
-
Filesize
1KB
MD5211593cd6723611b5ebf2a03404ecb9a
SHA1a9e63470784a937751f63ac81ccd381583eaf0ab
SHA256798626ac35e4effd0cff2e53ec6a2cd4ebcdf076ca3f022c4b26d52dab2c1d5d
SHA512d77e5382f47454acdbccb35aa409241980f59e4a897233adc6bb4c8b09544ceb5566d3383058b59e9dd43ad9ab74b6ed90a0e3f1bf50a692db9360e16c577927
-
Filesize
1KB
MD56b6a7f8236c91c29ab2de94263a92649
SHA13bd2dabad59fa88a74c3b7622fa9db9b8bd6b45d
SHA25699acbf67c0733d7b0becce98acc8f477b8a98ff742f3ce95219a292539546a09
SHA5129603cca3e4ce07bf1ba2416f412b41489cea28ec219327b35c017c3d206d391ce2b6f1f916bf15aeb4a4f5461446636a913f0417ba160078fd1b801948c6b6a3
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a