Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 10:51
Behavioral task
behavioral1
Sample
dde.exe
Resource
win10-20240404-en
General
-
Target
dde.exe
-
Size
71KB
-
MD5
d5af9923e3015fc2cd381797720e84ec
-
SHA1
8a11d55d97ad484897fd8da7c7e36543184ef23d
-
SHA256
7f71385d6a2745866497ffd421c23698a4ba6e0be811d5728d7c0318539ae607
-
SHA512
11fc191532a6a8a643531aeb90b30a18830bb904b898cb66d6e068cd887b0658b3e6edc75a6c2c622fe0bc0329fac720af43a933a724ccab4c27fa92865307cb
-
SSDEEP
1536:FTIATUQ2TVMAQuPjcg0OPhb8YUzQjDb6TyBmcOrdzBLvVKhy2:FPuaAPPqOpb88jD0yJOhBzQz
Malware Config
Extracted
xworm
registered-martial.gl.at.ply.gg:62460
-
Install_directory
%Temp%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3308-1-0x00000000009E0000-0x00000000009F8000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1000 powershell.exe 1104 powershell.exe 2308 powershell.exe 4720 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dde.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XClient.exe" dde.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedde.exetaskmgr.exepid process 1000 powershell.exe 1000 powershell.exe 1000 powershell.exe 1104 powershell.exe 1104 powershell.exe 1104 powershell.exe 2308 powershell.exe 2308 powershell.exe 2308 powershell.exe 4720 powershell.exe 4720 powershell.exe 4720 powershell.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 3308 dde.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
dde.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3308 dde.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeIncreaseQuotaPrivilege 1000 powershell.exe Token: SeSecurityPrivilege 1000 powershell.exe Token: SeTakeOwnershipPrivilege 1000 powershell.exe Token: SeLoadDriverPrivilege 1000 powershell.exe Token: SeSystemProfilePrivilege 1000 powershell.exe Token: SeSystemtimePrivilege 1000 powershell.exe Token: SeProfSingleProcessPrivilege 1000 powershell.exe Token: SeIncBasePriorityPrivilege 1000 powershell.exe Token: SeCreatePagefilePrivilege 1000 powershell.exe Token: SeBackupPrivilege 1000 powershell.exe Token: SeRestorePrivilege 1000 powershell.exe Token: SeShutdownPrivilege 1000 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeSystemEnvironmentPrivilege 1000 powershell.exe Token: SeRemoteShutdownPrivilege 1000 powershell.exe Token: SeUndockPrivilege 1000 powershell.exe Token: SeManageVolumePrivilege 1000 powershell.exe Token: 33 1000 powershell.exe Token: 34 1000 powershell.exe Token: 35 1000 powershell.exe Token: 36 1000 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeIncreaseQuotaPrivilege 1104 powershell.exe Token: SeSecurityPrivilege 1104 powershell.exe Token: SeTakeOwnershipPrivilege 1104 powershell.exe Token: SeLoadDriverPrivilege 1104 powershell.exe Token: SeSystemProfilePrivilege 1104 powershell.exe Token: SeSystemtimePrivilege 1104 powershell.exe Token: SeProfSingleProcessPrivilege 1104 powershell.exe Token: SeIncBasePriorityPrivilege 1104 powershell.exe Token: SeCreatePagefilePrivilege 1104 powershell.exe Token: SeBackupPrivilege 1104 powershell.exe Token: SeRestorePrivilege 1104 powershell.exe Token: SeShutdownPrivilege 1104 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeSystemEnvironmentPrivilege 1104 powershell.exe Token: SeRemoteShutdownPrivilege 1104 powershell.exe Token: SeUndockPrivilege 1104 powershell.exe Token: SeManageVolumePrivilege 1104 powershell.exe Token: 33 1104 powershell.exe Token: 34 1104 powershell.exe Token: 35 1104 powershell.exe Token: 36 1104 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeIncreaseQuotaPrivilege 2308 powershell.exe Token: SeSecurityPrivilege 2308 powershell.exe Token: SeTakeOwnershipPrivilege 2308 powershell.exe Token: SeLoadDriverPrivilege 2308 powershell.exe Token: SeSystemProfilePrivilege 2308 powershell.exe Token: SeSystemtimePrivilege 2308 powershell.exe Token: SeProfSingleProcessPrivilege 2308 powershell.exe Token: SeIncBasePriorityPrivilege 2308 powershell.exe Token: SeCreatePagefilePrivilege 2308 powershell.exe Token: SeBackupPrivilege 2308 powershell.exe Token: SeRestorePrivilege 2308 powershell.exe Token: SeShutdownPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeSystemEnvironmentPrivilege 2308 powershell.exe Token: SeRemoteShutdownPrivilege 2308 powershell.exe Token: SeUndockPrivilege 2308 powershell.exe Token: SeManageVolumePrivilege 2308 powershell.exe Token: 33 2308 powershell.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
taskmgr.exepid process 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
Processes:
taskmgr.exepid process 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dde.exepid process 3308 dde.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dde.exedescription pid process target process PID 3308 wrote to memory of 1000 3308 dde.exe powershell.exe PID 3308 wrote to memory of 1000 3308 dde.exe powershell.exe PID 3308 wrote to memory of 1104 3308 dde.exe powershell.exe PID 3308 wrote to memory of 1104 3308 dde.exe powershell.exe PID 3308 wrote to memory of 2308 3308 dde.exe powershell.exe PID 3308 wrote to memory of 2308 3308 dde.exe powershell.exe PID 3308 wrote to memory of 4720 3308 dde.exe powershell.exe PID 3308 wrote to memory of 4720 3308 dde.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dde.exe"C:\Users\Admin\AppData\Local\Temp\dde.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dde.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dde.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4720
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:504
-
C:\Users\Admin\AppData\Local\Temp\dde.exe"C:\Users\Admin\AppData\Local\Temp\dde.exe"1⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\dde.exe"C:\Users\Admin\AppData\Local\Temp\dde.exe"1⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\dde.exe"C:\Users\Admin\AppData\Local\Temp\dde.exe"1⤵PID:2136
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD57d945eba6be7a48afb6f8a29c03b33bf
SHA1c8efdf30b07d7df3ee09307b7fc7fba536f67b38
SHA256420d68de51d5a84752893b6ddfa25a214eaffa4534f9648d80411434a946cbc6
SHA5124fd88fa37901bef3a9eaeeaad754be94b3b39ddc2fb43bbbf28e2f2e18f3912626f0ac4748b1360b049f34a013ad37be203d62b74359765fc550e8d73280a7a4
-
Filesize
1KB
MD5dde2ecae6449edcea6c29ae9e1f0f66e
SHA1215c8519e5f781a6df1efac38f3ca618f48aeee6
SHA25689dac7cc6a5910f29b9c202dca2107b45c2b16c4b414bc5e053c95317d1117a5
SHA51248a49d5eddccd07d7ffc63feb40476db3773580c67a226bce0b01e0fc33bb9b5c4204ea223c161e5d29b106ba745b9894bd36d27f7abc8895e8c631142953caa
-
Filesize
1KB
MD586540a0c5e167e40926a4a794714b54d
SHA14e5307f3d83ee3ff3d3ec1400d62d1a945dc425a
SHA256b4f3f14f03e953894c3306fa07e776ef16f96ada85b4ca6f587cb6dfb9569b0c
SHA512506fea68ccc3bb8c990cf9beea8f3b84a4186cce0f28a3e3f1236d434d23877bbc704c9e8435f8ab95a3dac97b554bb60ea6d98b43d2890463d1b36a67897a02
-
Filesize
71KB
MD5d5af9923e3015fc2cd381797720e84ec
SHA18a11d55d97ad484897fd8da7c7e36543184ef23d
SHA2567f71385d6a2745866497ffd421c23698a4ba6e0be811d5728d7c0318539ae607
SHA51211fc191532a6a8a643531aeb90b30a18830bb904b898cb66d6e068cd887b0658b3e6edc75a6c2c622fe0bc0329fac720af43a933a724ccab4c27fa92865307cb
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a