Analysis
-
max time kernel
840s -
max time network
919s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 17:29
Behavioral task
behavioral1
Sample
MLClauncher.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
MLClauncher.exe
Resource
win10v2004-20240426-en
General
-
Target
MLClauncher.exe
-
Size
66KB
-
MD5
23e7e5af720dfc90b86294a8a7800c76
-
SHA1
e674bd73e3c9a496c9b5422f43874fcfc9f5510c
-
SHA256
1810fc024d4da8c805bdf76c8152ec68615c33676c4bee025d889de89af3724f
-
SHA512
0bb3731bfd6601b9b903ce93aa3fc493d063d5ddb20b7e2277808205bcde96f5cc7dafc94caf59ec5e7d0b8a44aa6b739cc6f326d29aaa03c3b85c090cab3681
-
SSDEEP
1536:rttwy1I4PKiFM8tBb1L1JmX2npd6KnXOUVBCIu9BE:BBRPXb1L22pDXOUPCpBE
Malware Config
Extracted
xworm
127.0.0.1:2832
20.ip.gl.ply.gg:2832
-
Install_directory
%Temp%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1624-1-0x0000000000F30000-0x0000000000F46000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2512 powershell.exe 1780 powershell.exe 2656 powershell.exe 2964 powershell.exe -
Drops startup file 2 IoCs
Processes:
MLClauncher.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk MLClauncher.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk MLClauncher.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MLClauncher.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe" MLClauncher.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepid process 2964 powershell.exe 2512 powershell.exe 1780 powershell.exe 2656 powershell.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1668 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
MLClauncher.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1624 MLClauncher.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 1624 MLClauncher.exe Token: SeDebugPrivilege 1668 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe 1668 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
MLClauncher.exedescription pid process target process PID 1624 wrote to memory of 2964 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 2964 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 2964 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 2512 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 2512 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 2512 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 1780 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 1780 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 1780 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 2656 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 2656 1624 MLClauncher.exe powershell.exe PID 1624 wrote to memory of 2656 1624 MLClauncher.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MLClauncher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cool man.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cool man.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5ccc1a8f954f878f6e666b2ceeef35aef
SHA1c0b974618004d9ea35edef90ff4c9b0dda86a3a5
SHA25693ca17c19dc2f064e725c25408aff84a826db55bfa85a312f0390c34ffba4176
SHA512b52e561c3031e9d4e48adeef84467cdc0818b3c2ba1261a7c3e4ad4818b81efcb28534017f027fe31db757a328106fa6c0bc71880b5a609173589b184bba6700
-
memory/1624-1-0x0000000000F30000-0x0000000000F46000-memory.dmpFilesize
88KB
-
memory/1624-2-0x000007FEF5910000-0x000007FEF62FC000-memory.dmpFilesize
9.9MB
-
memory/1624-36-0x0000000000F20000-0x0000000000F2C000-memory.dmpFilesize
48KB
-
memory/1624-0-0x000007FEF5913000-0x000007FEF5914000-memory.dmpFilesize
4KB
-
memory/1624-31-0x000007FEF5913000-0x000007FEF5914000-memory.dmpFilesize
4KB
-
memory/1624-32-0x000007FEF5910000-0x000007FEF62FC000-memory.dmpFilesize
9.9MB
-
memory/1668-34-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1668-38-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1668-37-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1668-35-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2512-16-0x00000000028A0000-0x00000000028A8000-memory.dmpFilesize
32KB
-
memory/2512-15-0x000000001B630000-0x000000001B912000-memory.dmpFilesize
2.9MB
-
memory/2964-9-0x0000000002820000-0x0000000002828000-memory.dmpFilesize
32KB
-
memory/2964-8-0x000000001B570000-0x000000001B852000-memory.dmpFilesize
2.9MB
-
memory/2964-7-0x0000000002850000-0x00000000028D0000-memory.dmpFilesize
512KB