Analysis
-
max time kernel
560s -
max time network
562s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 11:00
Behavioral task
behavioral1
Sample
Probiv.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Probiv.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Probiv.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
Probiv.exe
Resource
win11-20240508-en
General
-
Target
Probiv.exe
-
Size
67KB
-
MD5
613288a7e55550e864d86191542d9177
-
SHA1
22262078f189408184206777a67a64b9fb70e99a
-
SHA256
a9e49fdb9c43601c9e860d851f4d969550aaf43af8b84d178ea88257e8065a12
-
SHA512
22dd638b808a34fa64d354135407e8ac952cd96ce37ede335b055d590dcd360b63462233c159c1859e17707bf413f507494cc3656555fc606de195976dd47006
-
SSDEEP
1536:SmsKyHPhRopHbWTakbOzUyZX6I4wEON2GE:1OvbOoyb4wEONa
Malware Config
Extracted
xworm
registered-martial.gl.at.ply.gg:62460
-
Install_directory
%Temp%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-1-0x00000000008B0000-0x00000000008C8000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2596 powershell.exe 2652 powershell.exe 2288 powershell.exe 2896 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Probiv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XClient.exe" Probiv.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeProbiv.exepid process 2596 powershell.exe 2652 powershell.exe 2288 powershell.exe 2896 powershell.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe 2468 Probiv.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Probiv.exepowershell.exepowershell.exepowershell.exepowershell.exeProbiv.exeProbiv.exeProbiv.exedescription pid process Token: SeDebugPrivilege 2468 Probiv.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2468 Probiv.exe Token: SeDebugPrivilege 1804 Probiv.exe Token: SeDebugPrivilege 3020 Probiv.exe Token: SeDebugPrivilege 1040 Probiv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Probiv.exepid process 2468 Probiv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Probiv.exedescription pid process target process PID 2468 wrote to memory of 2596 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2596 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2596 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2652 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2652 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2652 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2288 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2288 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2288 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2896 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2896 2468 Probiv.exe powershell.exe PID 2468 wrote to memory of 2896 2468 Probiv.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Probiv.exe"C:\Users\Admin\AppData\Local\Temp\Probiv.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Probiv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Probiv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\Probiv.exe"C:\Users\Admin\AppData\Local\Temp\Probiv.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
C:\Users\Admin\AppData\Local\Temp\Probiv.exe"C:\Users\Admin\AppData\Local\Temp\Probiv.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
C:\Users\Admin\AppData\Local\Temp\Probiv.exe"C:\Users\Admin\AppData\Local\Temp\Probiv.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD552056c8b41d68c10938a5a4af22aee10
SHA18e0d5822c8377224c33447d94a40bd95a7c0e732
SHA2564bdfec0606191fa9e15b4edab2aae85013376c8abb5adb20e9216397e2e0689d
SHA5126c071c727b4b3cbb4b8d26ed92eae198b70980c5de01c1661f4511d73daa96cbbe86ea65f773b23f7f4c61aab6f2b56f3b053b3aca7378e70e834bc0a69fe89d