Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 14:49
Behavioral task
behavioral1
Sample
читы.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
читы.exe
Resource
win10v2004-20240508-en
General
-
Target
читы.exe
-
Size
102KB
-
MD5
58174445e23753c941d39dc0453ac348
-
SHA1
40e3a9047c49cbae6818297adcd03896d28364c2
-
SHA256
1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
-
SHA512
523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072
-
SSDEEP
1536:oBFpc8Z5dGYzabvawh+/C6vSX/QOcy/WPPqUs/uoDjSBSc7UtYVL:oa85dGCabvaw4/moOcy/R/1W0cgteL
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:65468
speed-wheat.gl.at.ply.gg:65468
XWorm V5.2:123
-
Install_directory
%AppData%
-
install_file
Delta.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2328-1-0x00000000009C0000-0x00000000009E0000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Delta.exe family_xworm behavioral1/memory/2512-36-0x0000000001210000-0x0000000001230000-memory.dmp family_xworm behavioral1/memory/2732-39-0x00000000001F0000-0x0000000000210000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1672 powershell.exe 2268 powershell.exe 2668 powershell.exe 2444 powershell.exe -
Drops startup file 2 IoCs
Processes:
читы.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk читы.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk читы.exe -
Executes dropped EXE 2 IoCs
Processes:
Delta.exeDelta.exepid process 2512 Delta.exe 2732 Delta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
читы.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" читы.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeчиты.exepid process 1672 powershell.exe 2268 powershell.exe 2668 powershell.exe 2444 powershell.exe 2328 читы.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
читы.exepowershell.exepowershell.exepowershell.exepowershell.exeDelta.exeDelta.exedescription pid process Token: SeDebugPrivilege 2328 читы.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2328 читы.exe Token: SeDebugPrivilege 2512 Delta.exe Token: SeDebugPrivilege 2732 Delta.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
читы.exepid process 2328 читы.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
читы.exetaskeng.exedescription pid process target process PID 2328 wrote to memory of 1672 2328 читы.exe powershell.exe PID 2328 wrote to memory of 1672 2328 читы.exe powershell.exe PID 2328 wrote to memory of 1672 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2268 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2268 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2268 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2668 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2668 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2668 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2444 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2444 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2444 2328 читы.exe powershell.exe PID 2328 wrote to memory of 2500 2328 читы.exe schtasks.exe PID 2328 wrote to memory of 2500 2328 читы.exe schtasks.exe PID 2328 wrote to memory of 2500 2328 читы.exe schtasks.exe PID 320 wrote to memory of 2512 320 taskeng.exe Delta.exe PID 320 wrote to memory of 2512 320 taskeng.exe Delta.exe PID 320 wrote to memory of 2512 320 taskeng.exe Delta.exe PID 320 wrote to memory of 2732 320 taskeng.exe Delta.exe PID 320 wrote to memory of 2732 320 taskeng.exe Delta.exe PID 320 wrote to memory of 2732 320 taskeng.exe Delta.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\читы.exe"C:\Users\Admin\AppData\Local\Temp\читы.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"2⤵
- Creates scheduled task(s)
PID:2500
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2F6C944B-2357-476A-8200-1473CADF52DC} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102KB
MD558174445e23753c941d39dc0453ac348
SHA140e3a9047c49cbae6818297adcd03896d28364c2
SHA2561e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
SHA512523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54a00b4ff3694143cbf99205e78f93336
SHA186ce97577352a19a9fa67a08c0dcece5b0f0104b
SHA2564e47ac0e20472d4452eb8c6ace90649e73d0af2ba1df7787c68390496b065741
SHA512646b83267b4f04213ca978f301deea1daf6e7f2a388452837724497644ac1421a5762f9f42ff50ec348b23b8f03e406420185f2594b320ff99e56353ba0c688b