Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 17:41
Behavioral task
behavioral1
Sample
Injector.exe
Resource
win7-20240215-en
General
-
Target
Injector.exe
-
Size
38KB
-
MD5
424a9e83ab70500a16bc52d86016fffc
-
SHA1
14dba3bd7d5564f8538a78e4da34a7bc460166d6
-
SHA256
015d90cb2d696c35b623c2f2283ae931a52fa06eabb162289b183f5bf6c5cafe
-
SHA512
f53682fd9f668c38cb89682911a98c86d8ac97d6f7f344a3f678abc36a69a504ee54bc0e871136cf4807d253575fae82574ac222f85083d180c7be811535dcd9
-
SSDEEP
768:scZ7ehfsvhd9vncvL1EZ251TR8FF5Pj9I/OMhd3Ii:scAqv90C08Fh9I/OMXd
Malware Config
Extracted
xworm
5.0
said-webcam.gl.at.ply.gg:64349
Cb07KjGDR4pTCEXY
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2824-1-0x0000000000BB0000-0x0000000000BC0000-memory.dmp family_xworm -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2796 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2804 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Injector.exepid process 2824 Injector.exe 2824 Injector.exe 2824 Injector.exe 2824 Injector.exe 2824 Injector.exe 2824 Injector.exe 2824 Injector.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Injector.exedescription pid process Token: SeDebugPrivilege 2824 Injector.exe Token: SeDebugPrivilege 2824 Injector.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Injector.exepid process 2824 Injector.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Injector.execmd.exedescription pid process target process PID 2824 wrote to memory of 2796 2824 Injector.exe cmd.exe PID 2824 wrote to memory of 2796 2824 Injector.exe cmd.exe PID 2824 wrote to memory of 2796 2824 Injector.exe cmd.exe PID 2796 wrote to memory of 2804 2796 cmd.exe timeout.exe PID 2796 wrote to memory of 2804 2796 cmd.exe timeout.exe PID 2796 wrote to memory of 2804 2796 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2804
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5d8dc004c8343981caa95d4bf509c6d05
SHA1045e943bf7083060edffad0009251b1b2be3be97
SHA2560f6ef40c96167e40cc98d81cf71976f14bef96211fb6fa33134f7986f961351d
SHA5128de89c6110cb0cdf61ed6ae9fa351bf373550ed807d0dfcbdd833587ddd823c35e8214a4a69d25f1aa5fda5f37c5dac7643dbb7f7c01aaf0d05c6d6ac43d5f22