Analysis
-
max time kernel
51s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 15:32
Behavioral task
behavioral1
Sample
Expensive 3.1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Expensive 3.1.exe
Resource
win10v2004-20240426-en
General
-
Target
Expensive 3.1.exe
-
Size
60KB
-
MD5
a66624abb377e5ff52d4d2ae2707aca2
-
SHA1
a8bcdcaa2536996637e19827d2753e55bba45a28
-
SHA256
eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8
-
SHA512
ec24aad17f3febb434f6c2f8c371ff0bba486abe9e7768c55f8ca766bb0363791b8a991945795277170a57a64f431a1c5f70a7d4acc4b7d878e9e983aafe26d1
-
SSDEEP
1536:4ptathcJHAxzcA0VzP5k3O+bB3JcSnGSq67Oy7m/:YoPcJVK++b9JcqOyM
Malware Config
Extracted
xworm
loss-winners.gl.at.ply.gg:61007
-
Install_directory
%AppData%
-
install_file
Expensive 3.1.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/2876-31-0x0000000002020000-0x000000000202E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2876-1-0x00000000003B0000-0x00000000003C6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2700 powershell.exe 2728 powershell.exe 3048 powershell.exe 2376 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Expensive 3.1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" Expensive 3.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeExpensive 3.1.exepid process 2700 powershell.exe 2728 powershell.exe 3048 powershell.exe 2376 powershell.exe 2876 Expensive 3.1.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Expensive 3.1.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2876 Expensive 3.1.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2876 Expensive 3.1.exe Token: SeShutdownPrivilege 2876 Expensive 3.1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Expensive 3.1.exepid process 2876 Expensive 3.1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Expensive 3.1.exedescription pid process target process PID 2876 wrote to memory of 2700 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 2700 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 2700 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 2728 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 2728 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 2728 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 3048 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 3048 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 3048 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 2376 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 2376 2876 Expensive 3.1.exe powershell.exe PID 2876 wrote to memory of 2376 2876 Expensive 3.1.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fe75d9bc4a28e7df4f3ab130662c970d
SHA197e36509a5af310c512515cb384b96e5e1e4aeba
SHA256edb646c044adaa19104d60bd01a2a28c99b24cc82cd70c68ccb4b9a8879ef365
SHA512454fb36495b1927fc0d9b5265afd7dd53170dbb79c2d10fb0e467a054e75543cbdb16c4c5e24a3005aa24d9d490a9f45c53895b5fa5d995f319ec5f42de06d4d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e