Analysis
-
max time kernel
599s -
max time network
578s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:14
Behavioral task
behavioral1
Sample
12.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
12.exe
Resource
win10v2004-20240508-en
General
-
Target
12.exe
-
Size
60KB
-
MD5
912c5ade2dc17f825036e94fdd85b063
-
SHA1
7ac8e63df65e14b4d4d4beca2204418485fa3cfa
-
SHA256
b333067f0a6a6b025855c409b291cea8bf7bf8056ac31c1b64d04cc257f60dc6
-
SHA512
d3b2f6b3b111804ac5235180b1bd859140fa34e0ff47b7689d6ea719de017d98c8971adfc9efdcecbd688a12c22d358896538b4a54b9739cb95003da348fd9ed
-
SSDEEP
1536:5WkxdnRY2jXz0DjhzHIV2/O1dnR/kCNkbf5xFgnQNURUOLCiF:5W2dnRYYIDVa22LnR/TkbfPtOLhF
Malware Config
Extracted
xworm
t-screening.gl.at.ply.gg:11852
-
Install_directory
%Userprofile%
-
install_file
ww.exe
Signatures
-
Detect Xworm Payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1732-1-0x0000000000090000-0x00000000000A6000-memory.dmp family_xworm C:\Users\Admin\ww.exe family_xworm behavioral1/memory/2652-11-0x0000000000EF0000-0x0000000000F06000-memory.dmp family_xworm behavioral1/memory/336-15-0x0000000001380000-0x0000000001396000-memory.dmp family_xworm behavioral1/memory/1916-17-0x0000000000380000-0x0000000000396000-memory.dmp family_xworm behavioral1/memory/1112-19-0x0000000000B10000-0x0000000000B26000-memory.dmp family_xworm behavioral1/memory/1952-21-0x0000000001100000-0x0000000001116000-memory.dmp family_xworm behavioral1/memory/600-27-0x00000000000F0000-0x0000000000106000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
12.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ww.lnk 12.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ww.lnk 12.exe -
Executes dropped EXE 10 IoCs
Processes:
ww.exeww.exeww.exeww.exeww.exeww.exeww.exeww.exeww.exeww.exepid process 2652 ww.exe 336 ww.exe 1916 ww.exe 1112 ww.exe 1952 ww.exe 2988 ww.exe 1236 ww.exe 1604 ww.exe 2588 ww.exe 600 ww.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ww = "C:\\Users\\Admin\\ww.exe" 12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
12.exeww.exeww.exeww.exeww.exeww.exeww.exeww.exeww.exeww.exeww.exedescription pid process Token: SeDebugPrivilege 1732 12.exe Token: SeDebugPrivilege 1732 12.exe Token: SeDebugPrivilege 2652 ww.exe Token: SeDebugPrivilege 336 ww.exe Token: SeDebugPrivilege 1916 ww.exe Token: SeDebugPrivilege 1112 ww.exe Token: SeDebugPrivilege 1952 ww.exe Token: SeDebugPrivilege 2988 ww.exe Token: SeDebugPrivilege 1236 ww.exe Token: SeDebugPrivilege 1604 ww.exe Token: SeDebugPrivilege 2588 ww.exe Token: SeDebugPrivilege 600 ww.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
12.exetaskeng.exedescription pid process target process PID 1732 wrote to memory of 2992 1732 12.exe schtasks.exe PID 1732 wrote to memory of 2992 1732 12.exe schtasks.exe PID 1732 wrote to memory of 2992 1732 12.exe schtasks.exe PID 2500 wrote to memory of 2652 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 2652 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 2652 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 336 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 336 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 336 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1916 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1916 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1916 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1112 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1112 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1112 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1952 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1952 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1952 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 2988 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 2988 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 2988 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1236 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1236 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1236 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1604 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1604 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 1604 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 2588 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 2588 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 2588 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 600 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 600 2500 taskeng.exe ww.exe PID 2500 wrote to memory of 600 2500 taskeng.exe ww.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12.exe"C:\Users\Admin\AppData\Local\Temp\12.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ww" /tr "C:\Users\Admin\ww.exe"2⤵
- Creates scheduled task(s)
PID:2992
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8D4C6E91-67BA-42DB-BF9C-8DDE79B39B12} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Users\Admin\ww.exeC:\Users\Admin\ww.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5912c5ade2dc17f825036e94fdd85b063
SHA17ac8e63df65e14b4d4d4beca2204418485fa3cfa
SHA256b333067f0a6a6b025855c409b291cea8bf7bf8056ac31c1b64d04cc257f60dc6
SHA512d3b2f6b3b111804ac5235180b1bd859140fa34e0ff47b7689d6ea719de017d98c8971adfc9efdcecbd688a12c22d358896538b4a54b9739cb95003da348fd9ed