Analysis
-
max time kernel
62s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 13:12
Behavioral task
behavioral1
Sample
12.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
12.exe
Resource
win10v2004-20240426-en
General
-
Target
12.exe
-
Size
60KB
-
MD5
912c5ade2dc17f825036e94fdd85b063
-
SHA1
7ac8e63df65e14b4d4d4beca2204418485fa3cfa
-
SHA256
b333067f0a6a6b025855c409b291cea8bf7bf8056ac31c1b64d04cc257f60dc6
-
SHA512
d3b2f6b3b111804ac5235180b1bd859140fa34e0ff47b7689d6ea719de017d98c8971adfc9efdcecbd688a12c22d358896538b4a54b9739cb95003da348fd9ed
-
SSDEEP
1536:5WkxdnRY2jXz0DjhzHIV2/O1dnR/kCNkbf5xFgnQNURUOLCiF:5W2dnRYYIDVa22LnR/TkbfPtOLhF
Malware Config
Extracted
xworm
t-screening.gl.at.ply.gg:11852
-
Install_directory
%Userprofile%
-
install_file
ww.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1592-1-0x00000000002F0000-0x0000000000306000-memory.dmp family_xworm C:\Users\Admin\ww.exe family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 12.exe -
Drops startup file 2 IoCs
Processes:
12.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ww.lnk 12.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ww.lnk 12.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ww = "C:\\Users\\Admin\\ww.exe" 12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
taskmgr.exepid process 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
12.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1592 12.exe Token: SeDebugPrivilege 1592 12.exe Token: SeDebugPrivilege 3712 taskmgr.exe Token: SeSystemProfilePrivilege 3712 taskmgr.exe Token: SeCreateGlobalPrivilege 3712 taskmgr.exe Token: 33 3712 taskmgr.exe Token: SeIncBasePriorityPrivilege 3712 taskmgr.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
taskmgr.exepid process 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe -
Suspicious use of SendNotifyMessage 62 IoCs
Processes:
taskmgr.exepid process 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe 3712 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
12.exedescription pid process target process PID 1592 wrote to memory of 1580 1592 12.exe schtasks.exe PID 1592 wrote to memory of 1580 1592 12.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12.exe"C:\Users\Admin\AppData\Local\Temp\12.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ww" /tr "C:\Users\Admin\ww.exe"2⤵
- Creates scheduled task(s)
PID:1580
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
751B
MD5e3fa2e1d660da6acc17aec63c563e32b
SHA16f87743e3a605985603c02344024201fd2c27bb1
SHA256579130709f34f2bc32b0694f22015f478b8754cf8c5ec68bbf783b6f56273c2e
SHA5122fb4b87202a432719adf794c7a2041d37702fcd3deacfc85023d1a68153def984965fc6feeaf41d9aef49ac3c5a34666bc1a0903c7eab71ab4b00f21792b0e99
-
Filesize
60KB
MD5912c5ade2dc17f825036e94fdd85b063
SHA17ac8e63df65e14b4d4d4beca2204418485fa3cfa
SHA256b333067f0a6a6b025855c409b291cea8bf7bf8056ac31c1b64d04cc257f60dc6
SHA512d3b2f6b3b111804ac5235180b1bd859140fa34e0ff47b7689d6ea719de017d98c8971adfc9efdcecbd688a12c22d358896538b4a54b9739cb95003da348fd9ed