Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 11:00
Behavioral task
behavioral1
Sample
Probiv.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Probiv.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Probiv.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
Probiv.exe
Resource
win11-20240508-en
General
-
Target
Probiv.exe
-
Size
67KB
-
MD5
613288a7e55550e864d86191542d9177
-
SHA1
22262078f189408184206777a67a64b9fb70e99a
-
SHA256
a9e49fdb9c43601c9e860d851f4d969550aaf43af8b84d178ea88257e8065a12
-
SHA512
22dd638b808a34fa64d354135407e8ac952cd96ce37ede335b055d590dcd360b63462233c159c1859e17707bf413f507494cc3656555fc606de195976dd47006
-
SSDEEP
1536:SmsKyHPhRopHbWTakbOzUyZX6I4wEON2GE:1OvbOoyb4wEONa
Malware Config
Extracted
xworm
registered-martial.gl.at.ply.gg:62460
-
Install_directory
%Temp%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4880-1-0x00000000009A0000-0x00000000009B8000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1576 powershell.exe 4608 powershell.exe 2464 powershell.exe 2884 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Probiv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XClient.exe" Probiv.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeProbiv.exepid process 1576 powershell.exe 1576 powershell.exe 4608 powershell.exe 4608 powershell.exe 2464 powershell.exe 2464 powershell.exe 2884 powershell.exe 2884 powershell.exe 4880 Probiv.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Probiv.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4880 Probiv.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 4608 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 4880 Probiv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Probiv.exepid process 4880 Probiv.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Probiv.exedescription pid process target process PID 4880 wrote to memory of 1576 4880 Probiv.exe powershell.exe PID 4880 wrote to memory of 1576 4880 Probiv.exe powershell.exe PID 4880 wrote to memory of 4608 4880 Probiv.exe powershell.exe PID 4880 wrote to memory of 4608 4880 Probiv.exe powershell.exe PID 4880 wrote to memory of 2464 4880 Probiv.exe powershell.exe PID 4880 wrote to memory of 2464 4880 Probiv.exe powershell.exe PID 4880 wrote to memory of 2884 4880 Probiv.exe powershell.exe PID 4880 wrote to memory of 2884 4880 Probiv.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Probiv.exe"C:\Users\Admin\AppData\Local\Temp\Probiv.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Probiv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Probiv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5e3840d9bcedfe7017e49ee5d05bd1c46
SHA1272620fb2605bd196df471d62db4b2d280a363c6
SHA2563ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA51276adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376
-
Filesize
944B
MD5eb9dd0f1e84c3e70c5b401d33c439803
SHA136f90b3634d6b7c78140e762397d47845ffb944c
SHA256c1647b091931f45c019578e5215d837bffe70f8edafae1cee39025116e8fcfd4
SHA5121c5a3ee2a79f8653759a16f1a15ae62600ff4eedef66a16dfeab4504a1650c5222de8227a95215d42b3741d4d9ae1a985b9fbe594fffa4b2dfb969c3c5fdfab6
-
Filesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82