Analysis
-
max time kernel
32s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 15:12
Behavioral task
behavioral1
Sample
Gbeta.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Gbeta.exe
Resource
win10v2004-20240426-en
General
-
Target
Gbeta.exe
-
Size
620KB
-
MD5
a80fd81703b974b03a3e665d9e1a8f81
-
SHA1
13230cc88893ba287d975caa02464f306dc0a2e1
-
SHA256
e14916b5552020906ba0c25450f9dcb0c5ab6bcf58d5042c26edde8c6289a1d8
-
SHA512
198e3dbd8122dfcf4eb3b3dc0da0d382b7ce686e50f5ff9eda031ed1cee54b89f99adbcdd8b5fc3147394c774345ad21f2d0e2943c73847a61c6b51da06cdc4f
-
SSDEEP
1536:xDOptR2uwOmSyGoiBrhAj9OvGJbN+iBa0aQT76+ueOWOiJf6zjjjZSE4MMMzTXqB:xKptdvmSLx5gbwzQTNueOWOiYLgSni
Malware Config
Extracted
xworm
valid-saint.gl.at.ply.gg:23570
-
Install_directory
%ProgramData%
-
install_file
GBeta.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2268-1-0x0000000000120000-0x00000000001C0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2732 powershell.exe 2040 powershell.exe 2500 powershell.exe 2932 powershell.exe -
Drops startup file 2 IoCs
Processes:
Gbeta.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GBeta.lnk Gbeta.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GBeta.lnk Gbeta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Gbeta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\GBeta = "C:\\ProgramData\\GBeta.exe" Gbeta.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeGbeta.exepid process 2732 powershell.exe 2040 powershell.exe 2500 powershell.exe 2932 powershell.exe 2268 Gbeta.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Gbeta.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2268 Gbeta.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 2268 Gbeta.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Gbeta.exepid process 2268 Gbeta.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Gbeta.exedescription pid process target process PID 2268 wrote to memory of 2732 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2732 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2732 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2040 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2040 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2040 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2500 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2500 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2500 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2932 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2932 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2932 2268 Gbeta.exe powershell.exe PID 2268 wrote to memory of 2764 2268 Gbeta.exe schtasks.exe PID 2268 wrote to memory of 2764 2268 Gbeta.exe schtasks.exe PID 2268 wrote to memory of 2764 2268 Gbeta.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gbeta.exe"C:\Users\Admin\AppData\Local\Temp\Gbeta.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gbeta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Gbeta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\GBeta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GBeta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GBeta" /tr "C:\ProgramData\GBeta.exe"2⤵
- Creates scheduled task(s)
PID:2764
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD568284f1e984dc76dc19e1c7281de9245
SHA1b6f38e74dd08c156d0d5e9453e4aba622431dcf4
SHA25614786a2ad28e2a815eda2b2b5153e75e2e6309535ec3d9a412d86fab0d8f78ce
SHA5123f885908164b6b6495ee7ff600bdec5bf4c30dd39cfeca7f59b41c04d3d68bf7731f83fe17de5f97a64f6c93b5199a7527be8b48a217a5cc37be20dd4dba17ff