Analysis
-
max time kernel
125s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 15:54
Behavioral task
behavioral1
Sample
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe
Resource
win10v2004-20240508-en
General
-
Target
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe
-
Size
85KB
-
MD5
d9f622dd3ba5ba4e70a51e7d690e8019
-
SHA1
e7a5149a04e34782d8cf95248955d726df26ad72
-
SHA256
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526
-
SHA512
a0cbeafabfcd916e132f8d4bfcc69adb280022a107102199cd99372fb8b76fc08332f9d24863eab19f264e697b3340917a85073a7a5be76e158abcca3145b1a7
-
SSDEEP
1536:X8cC9V4pEQ5RZxzK1bgB+bN4JdErIlkUH66q7ICKO7JIbVhk:X82DZ3B+bN1IlLHWUdO9I5hk
Malware Config
Extracted
xworm
character-estimate.gl.at.ply.gg:61192
-
Install_directory
%ProgramData%
-
install_file
Chrome.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1916-1-0x0000000000BE0000-0x0000000000BFC000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2636 powershell.exe 2900 powershell.exe 2972 powershell.exe 2588 powershell.exe -
Drops startup file 2 IoCs
Processes:
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.execa83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exepid process 2972 powershell.exe 2588 powershell.exe 2636 powershell.exe 2900 powershell.exe 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2636 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exepid process 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exedescription pid process target process PID 1916 wrote to memory of 2972 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2972 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2972 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2588 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2588 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2588 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2636 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2636 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2636 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2900 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2900 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe PID 1916 wrote to memory of 2900 1916 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe"C:\Users\Admin\AppData\Local\Temp\ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e94176206cabaebce068e4d2ea867e7a
SHA1c2830e16b2b0ad195348cb5662de89c4bc9fd7f8
SHA256af65742422c0aaf57a183eb0876cdd74ebb23158916195443925301e86c50ebf
SHA5128a6f2e32f4fedde1d8d2994adc6b00cbd9a7e6684080684e8b85463a40768ac64f2baf9805faff43569450a717e63e09d04692b81a077641da860279538371e0