Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 21:28

General

  • Target

    4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe

  • Size

    75KB

  • MD5

    2fdfdc28bc8f362cc5f8c011d42d0a1e

  • SHA1

    67d6b431dfa75f02219dbee35c72f8d3636e21da

  • SHA256

    4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500

  • SHA512

    2694c1e44285d9e8d98e1b3762a6d83b27e4eaa0a5b71441e920154904aadde4b6d831c16ad573b2d978b57859c06d37f1eb8cdf48a4427489f04141c6bffb82

  • SSDEEP

    1536:rgc6J73fHqXWZ16J452BapyWhabisdvojWVQ8GNQ9t6kut3Ov9K97B:rgr7PlnyWobisslquxOFKVB

Malware Config

Extracted

Family

xworm

C2

rent-pas.gl.at.ply.gg:25215

Attributes
  • Install_directory

    %Temp%

  • install_file

    NvidiaPanel.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Detects Windows executables referencing non-Windows User-Agents 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe
    "C:\Users\Admin\AppData\Local\Temp\4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NvidiaPanel.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3832
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NvidiaPanel" /tr "C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4480
  • C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
    C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2352
  • C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
    C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1684
  • C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
    C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NvidiaPanel.exe.log

    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    28d4235aa2e6d782751f980ceb6e5021

    SHA1

    f5d82d56acd642b9fc4b963f684fd6b78f25a140

    SHA256

    8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

    SHA512

    dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    e2efbfd23e33d8d07d019bdd9ca20649

    SHA1

    68d3b285c423d311bdf8dc53354f5f4000caf386

    SHA256

    f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

    SHA512

    b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    86abd1aab23e0e2c5fe0817106718acc

    SHA1

    0c11e238c90a9fd7745839c6de47464b7d6a64ec

    SHA256

    e467bab54bb543bb8d8ae559473346137002694b820b02890844db545f95ee1d

    SHA512

    cba38fc24ba75283fb067f253eb900d4f801c002c73d8c3c7b398d4858dafee491661d10ad1829750b993190961ad43c10cb91796e6c6a3a44bd6b45c49da321

  • C:\Users\Admin\AppData\Local\Temp\NvidiaPanel.exe

    Filesize

    75KB

    MD5

    2fdfdc28bc8f362cc5f8c011d42d0a1e

    SHA1

    67d6b431dfa75f02219dbee35c72f8d3636e21da

    SHA256

    4a29205d5c7853d089ed8faebc6d412f0c58f782eba05d70b2a2cfc7ee3e2500

    SHA512

    2694c1e44285d9e8d98e1b3762a6d83b27e4eaa0a5b71441e920154904aadde4b6d831c16ad573b2d978b57859c06d37f1eb8cdf48a4427489f04141c6bffb82

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_md1cg1nj.su4.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/228-56-0x00007FF8010B3000-0x00007FF8010B5000-memory.dmp

    Filesize

    8KB

  • memory/228-0-0x00000000008A0000-0x00000000008BA000-memory.dmp

    Filesize

    104KB

  • memory/228-2-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

    Filesize

    10.8MB

  • memory/228-59-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

    Filesize

    10.8MB

  • memory/228-1-0x00007FF8010B3000-0x00007FF8010B5000-memory.dmp

    Filesize

    8KB

  • memory/3696-17-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

    Filesize

    10.8MB

  • memory/3696-10-0x00000196FAD90000-0x00000196FADB2000-memory.dmp

    Filesize

    136KB

  • memory/3696-4-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

    Filesize

    10.8MB

  • memory/3696-3-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

    Filesize

    10.8MB