Analysis
-
max time kernel
65s -
max time network
69s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:12
Behavioral task
behavioral1
Sample
12.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
12.exe
Resource
win10v2004-20240426-en
General
-
Target
12.exe
-
Size
60KB
-
MD5
912c5ade2dc17f825036e94fdd85b063
-
SHA1
7ac8e63df65e14b4d4d4beca2204418485fa3cfa
-
SHA256
b333067f0a6a6b025855c409b291cea8bf7bf8056ac31c1b64d04cc257f60dc6
-
SHA512
d3b2f6b3b111804ac5235180b1bd859140fa34e0ff47b7689d6ea719de017d98c8971adfc9efdcecbd688a12c22d358896538b4a54b9739cb95003da348fd9ed
-
SSDEEP
1536:5WkxdnRY2jXz0DjhzHIV2/O1dnR/kCNkbf5xFgnQNURUOLCiF:5W2dnRYYIDVa22LnR/TkbfPtOLhF
Malware Config
Extracted
xworm
t-screening.gl.at.ply.gg:11852
-
Install_directory
%Userprofile%
-
install_file
ww.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-1-0x00000000013A0000-0x00000000013B6000-memory.dmp family_xworm C:\Users\Admin\ww.exe family_xworm behavioral1/memory/2756-13-0x0000000000F10000-0x0000000000F26000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
12.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ww.lnk 12.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ww.lnk 12.exe -
Executes dropped EXE 1 IoCs
Processes:
ww.exepid process 2756 ww.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ww = "C:\\Users\\Admin\\ww.exe" 12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
12.exeww.exedescription pid process Token: SeDebugPrivilege 2456 12.exe Token: SeDebugPrivilege 2456 12.exe Token: SeDebugPrivilege 2756 ww.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
12.exetaskeng.exedescription pid process target process PID 2456 wrote to memory of 1808 2456 12.exe schtasks.exe PID 2456 wrote to memory of 1808 2456 12.exe schtasks.exe PID 2456 wrote to memory of 1808 2456 12.exe schtasks.exe PID 2644 wrote to memory of 2756 2644 taskeng.exe ww.exe PID 2644 wrote to memory of 2756 2644 taskeng.exe ww.exe PID 2644 wrote to memory of 2756 2644 taskeng.exe ww.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12.exe"C:\Users\Admin\AppData\Local\Temp\12.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ww" /tr "C:\Users\Admin\ww.exe"2⤵
- Creates scheduled task(s)
PID:1808
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {ED595FFE-3DBA-493D-9298-808773C2D60F} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5912c5ade2dc17f825036e94fdd85b063
SHA17ac8e63df65e14b4d4d4beca2204418485fa3cfa
SHA256b333067f0a6a6b025855c409b291cea8bf7bf8056ac31c1b64d04cc257f60dc6
SHA512d3b2f6b3b111804ac5235180b1bd859140fa34e0ff47b7689d6ea719de017d98c8971adfc9efdcecbd688a12c22d358896538b4a54b9739cb95003da348fd9ed