Analysis
-
max time kernel
120s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 12:00
Behavioral task
behavioral1
Sample
Tashkent Drive Edition.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Tashkent Drive Edition.exe
Resource
win10v2004-20240508-en
General
-
Target
Tashkent Drive Edition.exe
-
Size
144KB
-
MD5
302a161addf4cad7c6f078b7c5ad916a
-
SHA1
01450a35f72a6db951fb07fce749508f8aafe153
-
SHA256
be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6
-
SHA512
0c60134a2189554e6d47ef0e4845fe2d661b1d7a021bd530b8a323a2496fa7958dad31feb0022348b9c655a4aac4a9a67b13a1adafcac454a4346fa50796d8bd
-
SSDEEP
1536:HVK6scO5JV+3tOBPvfbVEaf0Qcf9sm65rvO8S6ROzFkcil31gYDbd:1KRRV+3tOB3fbKXK9vO56kUG6
Malware Config
Extracted
xworm
127.0.0.1:53750
involved-delete.gl.at.ply.gg:53750
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2244-1-0x0000000001210000-0x000000000123A000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm behavioral1/memory/1680-36-0x00000000013C0000-0x00000000013EA000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2460 powershell.exe 2440 powershell.exe 2408 powershell.exe 2764 powershell.exe -
Drops startup file 2 IoCs
Processes:
Tashkent Drive Edition.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Tashkent Drive Edition.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Tashkent Drive Edition.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1680 svchost.exe 1532 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Tashkent Drive Edition.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" Tashkent Drive Edition.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeTashkent Drive Edition.exepid process 2764 powershell.exe 2460 powershell.exe 2440 powershell.exe 2408 powershell.exe 2244 Tashkent Drive Edition.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Tashkent Drive Edition.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2244 Tashkent Drive Edition.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2244 Tashkent Drive Edition.exe Token: SeDebugPrivilege 1680 svchost.exe Token: SeDebugPrivilege 1532 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Tashkent Drive Edition.exepid process 2244 Tashkent Drive Edition.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Tashkent Drive Edition.exetaskeng.exedescription pid process target process PID 2244 wrote to memory of 2764 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2764 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2764 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2460 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2460 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2460 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2440 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2440 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2440 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2408 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2408 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 2408 2244 Tashkent Drive Edition.exe powershell.exe PID 2244 wrote to memory of 1740 2244 Tashkent Drive Edition.exe schtasks.exe PID 2244 wrote to memory of 1740 2244 Tashkent Drive Edition.exe schtasks.exe PID 2244 wrote to memory of 1740 2244 Tashkent Drive Edition.exe schtasks.exe PID 1692 wrote to memory of 1680 1692 taskeng.exe svchost.exe PID 1692 wrote to memory of 1680 1692 taskeng.exe svchost.exe PID 1692 wrote to memory of 1680 1692 taskeng.exe svchost.exe PID 1692 wrote to memory of 1532 1692 taskeng.exe svchost.exe PID 1692 wrote to memory of 1532 1692 taskeng.exe svchost.exe PID 1692 wrote to memory of 1532 1692 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Tashkent Drive Edition.exe"C:\Users\Admin\AppData\Local\Temp\Tashkent Drive Edition.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Tashkent Drive Edition.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Tashkent Drive Edition.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Creates scheduled task(s)
PID:1740
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {7D51111B-B83A-4D96-96A0-0C32CB88459B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD500b0c459d7b4750c461748af21b3dc08
SHA1c0ce2f8b612d1cd2457c2359bc412c196334ba87
SHA256490d8d2918690e181c414c3d716489eba6ddb36f1922d3132933015910b9beaf
SHA512dc753c3518baa291e19d5269e6ab9360c27be3d756958c0093f04dcb5e47d4b934040b9061a32047284a811d13fbe2c64b55c70da9c83907a9f9aca8fb7d74bd
-
Filesize
144KB
MD5302a161addf4cad7c6f078b7c5ad916a
SHA101450a35f72a6db951fb07fce749508f8aafe153
SHA256be98f5ab32e873468f2ba2fb45215468b0157f7fe894d9af98313444ec945ef6
SHA5120c60134a2189554e6d47ef0e4845fe2d661b1d7a021bd530b8a323a2496fa7958dad31feb0022348b9c655a4aac4a9a67b13a1adafcac454a4346fa50796d8bd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e