Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 15:41
Behavioral task
behavioral1
Sample
pornhub.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
pornhub.exe
Resource
win10-20240404-en
General
-
Target
pornhub.exe
-
Size
85KB
-
MD5
d9f622dd3ba5ba4e70a51e7d690e8019
-
SHA1
e7a5149a04e34782d8cf95248955d726df26ad72
-
SHA256
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526
-
SHA512
a0cbeafabfcd916e132f8d4bfcc69adb280022a107102199cd99372fb8b76fc08332f9d24863eab19f264e697b3340917a85073a7a5be76e158abcca3145b1a7
-
SSDEEP
1536:X8cC9V4pEQ5RZxzK1bgB+bN4JdErIlkUH66q7ICKO7JIbVhk:X82DZ3B+bN1IlLHWUdO9I5hk
Malware Config
Extracted
xworm
character-estimate.gl.at.ply.gg:61192
-
Install_directory
%ProgramData%
-
install_file
Chrome.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2904-1-0x0000000000FE0000-0x0000000000FFC000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2948 powershell.exe 2612 powershell.exe 2392 powershell.exe 2368 powershell.exe -
Drops startup file 2 IoCs
Processes:
pornhub.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk pornhub.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk pornhub.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
pornhub.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" pornhub.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepornhub.exepid process 2948 powershell.exe 2612 powershell.exe 2392 powershell.exe 2368 powershell.exe 2904 pornhub.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
pornhub.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2904 pornhub.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2904 pornhub.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
pornhub.exepid process 2904 pornhub.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
pornhub.exedescription pid process target process PID 2904 wrote to memory of 2948 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2948 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2948 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2612 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2612 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2612 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2392 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2392 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2392 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2368 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2368 2904 pornhub.exe powershell.exe PID 2904 wrote to memory of 2368 2904 pornhub.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pornhub.exe"C:\Users\Admin\AppData\Local\Temp\pornhub.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pornhub.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pornhub.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55d56f29f3a2afb560ecf73a9607d7139
SHA13ecc10a517295bec0038aedd9d0d0b42b8d456cd
SHA256d722044abee8c77949728b20c487f38aad09f763fde45edf79f95ad65f88198e
SHA512e261172c5be24986c84d147bc3b8283c41ee0d22ff7eca330294649909694861f7b35425164b91cb50952e038dcc23548375a497fc87d25f966fa472cf401879