Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 15:22
Behavioral task
behavioral1
Sample
Expensive 3.0.exe
Resource
win11-20240508-en
General
-
Target
Expensive 3.0.exe
-
Size
71KB
-
MD5
4d8c67f116afed39d1a1638d1f60e82c
-
SHA1
f7bde1231a237cd5bb663c729bee92bbdf20e46d
-
SHA256
adba1f5dfc1e917467184dcc01cd67fe3e5dfafa5db03c52b4bb7894827fad79
-
SHA512
9cc32e1dbe32d6f45f0c25782f55e0a62eb0cc78d426834cec9a91f209d2cc72fa7e1dc0995339a227b0f6124ac84602272aa1d71d0dfb6eea11328fe6415364
-
SSDEEP
1536:FscQuSvo0znd8gyFRN2ibLC+bxGuTMcpoz6G4OufqN:FoPtzn+PNDbLC+bxGuTSF4Oufu
Malware Config
Extracted
xworm
loss-winners.gl.at.ply.gg:61007:1567
-
Install_directory
%AppData%
-
install_file
Expensive 3.1.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4088-0-0x0000000000100000-0x0000000000118000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4988 powershell.exe 3944 powershell.exe 788 powershell.exe 3412 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Expensive 3.0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" Expensive 3.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeExpensive 3.0.exepid process 4988 powershell.exe 4988 powershell.exe 3944 powershell.exe 3944 powershell.exe 788 powershell.exe 788 powershell.exe 3412 powershell.exe 3412 powershell.exe 4088 Expensive 3.0.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Expensive 3.0.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4088 Expensive 3.0.exe Token: SeDebugPrivilege 4988 powershell.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeDebugPrivilege 3412 powershell.exe Token: SeDebugPrivilege 4088 Expensive 3.0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Expensive 3.0.exepid process 4088 Expensive 3.0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Expensive 3.0.exedescription pid process target process PID 4088 wrote to memory of 4988 4088 Expensive 3.0.exe powershell.exe PID 4088 wrote to memory of 4988 4088 Expensive 3.0.exe powershell.exe PID 4088 wrote to memory of 3944 4088 Expensive 3.0.exe powershell.exe PID 4088 wrote to memory of 3944 4088 Expensive 3.0.exe powershell.exe PID 4088 wrote to memory of 788 4088 Expensive 3.0.exe powershell.exe PID 4088 wrote to memory of 788 4088 Expensive 3.0.exe powershell.exe PID 4088 wrote to memory of 3412 4088 Expensive 3.0.exe powershell.exe PID 4088 wrote to memory of 3412 4088 Expensive 3.0.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Expensive 3.0.exe"C:\Users\Admin\AppData\Local\Temp\Expensive 3.0.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive 3.0.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.0.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD5f8c40f7624e23fa92ae2f41e34cfca77
SHA120e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7
-
Filesize
944B
MD5afd658f862c04666c1f51238869a968c
SHA15b88a35271011acd76727140676599219bcdf83f
SHA2566fc05790686b22b440dc0eeee39ec795876073b974d3aa7b3a627f3061247bed
SHA512eb4f310e8f2925e41470a221263f00eb571bdff1110ebdb0f08723e0b228b0355c29ba66d97d9eae49f97e2699ee5fa480d87692bdd99528f933134900f2abca
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82