Analysis

  • max time kernel
    51s
  • max time network
    76s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 15:32

General

  • Target

    Expensive 3.1.exe

  • Size

    60KB

  • MD5

    a66624abb377e5ff52d4d2ae2707aca2

  • SHA1

    a8bcdcaa2536996637e19827d2753e55bba45a28

  • SHA256

    eb75a771291082654ce1c0ef9feb1bf6cd30da8b85b1e342df0bd3b9af35a3b8

  • SHA512

    ec24aad17f3febb434f6c2f8c371ff0bba486abe9e7768c55f8ca766bb0363791b8a991945795277170a57a64f431a1c5f70a7d4acc4b7d878e9e983aafe26d1

  • SSDEEP

    1536:4ptathcJHAxzcA0VzP5k3O+bB3JcSnGSq67Oy7m/:YoPcJVK++b9JcqOyM

Malware Config

Extracted

Family

xworm

C2

loss-winners.gl.at.ply.gg:61007

Attributes
  • Install_directory

    %AppData%

  • install_file

    Expensive 3.1.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    fe75d9bc4a28e7df4f3ab130662c970d

    SHA1

    97e36509a5af310c512515cb384b96e5e1e4aeba

    SHA256

    edb646c044adaa19104d60bd01a2a28c99b24cc82cd70c68ccb4b9a8879ef365

    SHA512

    454fb36495b1927fc0d9b5265afd7dd53170dbb79c2d10fb0e467a054e75543cbdb16c4c5e24a3005aa24d9d490a9f45c53895b5fa5d995f319ec5f42de06d4d

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/2700-6-0x0000000002600000-0x0000000002680000-memory.dmp

    Filesize

    512KB

  • memory/2700-7-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

    Filesize

    2.9MB

  • memory/2700-8-0x00000000024E0000-0x00000000024E8000-memory.dmp

    Filesize

    32KB

  • memory/2728-14-0x000000001B290000-0x000000001B572000-memory.dmp

    Filesize

    2.9MB

  • memory/2728-15-0x0000000002420000-0x0000000002428000-memory.dmp

    Filesize

    32KB

  • memory/2876-0-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

    Filesize

    4KB

  • memory/2876-1-0x00000000003B0000-0x00000000003C6000-memory.dmp

    Filesize

    88KB

  • memory/2876-28-0x0000000001F60000-0x0000000001FE0000-memory.dmp

    Filesize

    512KB

  • memory/2876-29-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

    Filesize

    4KB

  • memory/2876-30-0x0000000001F60000-0x0000000001FE0000-memory.dmp

    Filesize

    512KB

  • memory/2876-31-0x0000000002020000-0x000000000202E000-memory.dmp

    Filesize

    56KB