Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 17:41
Behavioral task
behavioral1
Sample
Injector.exe
Resource
win7-20240215-en
General
-
Target
Injector.exe
-
Size
38KB
-
MD5
424a9e83ab70500a16bc52d86016fffc
-
SHA1
14dba3bd7d5564f8538a78e4da34a7bc460166d6
-
SHA256
015d90cb2d696c35b623c2f2283ae931a52fa06eabb162289b183f5bf6c5cafe
-
SHA512
f53682fd9f668c38cb89682911a98c86d8ac97d6f7f344a3f678abc36a69a504ee54bc0e871136cf4807d253575fae82574ac222f85083d180c7be811535dcd9
-
SSDEEP
768:scZ7ehfsvhd9vncvL1EZ251TR8FF5Pj9I/OMhd3Ii:scAqv90C08Fh9I/OMXd
Malware Config
Extracted
xworm
5.0
said-webcam.gl.at.ply.gg:64349
Cb07KjGDR4pTCEXY
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2604-1-0x0000000000530000-0x0000000000540000-memory.dmp family_xworm -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4136 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Injector.exepid process 2604 Injector.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Injector.exedescription pid process Token: SeDebugPrivilege 2604 Injector.exe Token: SeDebugPrivilege 2604 Injector.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Injector.exepid process 2604 Injector.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Injector.execmd.exedescription pid process target process PID 2604 wrote to memory of 3808 2604 Injector.exe cmd.exe PID 2604 wrote to memory of 3808 2604 Injector.exe cmd.exe PID 3808 wrote to memory of 4136 3808 cmd.exe timeout.exe PID 3808 wrote to memory of 4136 3808 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Injector.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1AE.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4136
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:3092
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD55514ff68cab0839bb0d24b01cbcc9ab3
SHA17efb192b3bf450724ceef96f3f22a3d7bf409e3a
SHA256a291a80444885cf70fd44afd73d76f6b560cadf5bb18328d1327287967c1192c
SHA512b21a04858630c7b087b4ab8a2be599602be4174f9ec77cc7aa04737cd3cad92b76b03dc1580c631af9f546b8d85dfe081998d18dd4e4f20892a96aa83667fe20