Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 14:48
Behavioral task
behavioral1
Sample
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe
Resource
win10v2004-20240226-en
General
-
Target
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe
-
Size
82KB
-
MD5
b107fbdbd7e5a97172b3974216a78886
-
SHA1
410f9c227a901e2721fd4471e8a5069bd6af43da
-
SHA256
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2
-
SHA512
b7485652c502a95a258d106166419dc3679e8a69906b7634dc440db9fa3db506a1c5597024fa0b275b556dbce55f51877bfef6d779817a0c83f51395bc734de6
-
SSDEEP
1536:qih380x1gfPT9dOjquahM8+bEm3leW9Q6au4aOaQDb4mPMUf:NhVgf5EFWZ+bEmVeOcu4aOaQDb4va
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:45758
ads-enabled.gl.at.ply.gg:45758
-
Install_directory
%AppData%
-
install_file
detektivhuedblyat.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1736-1-0x00000000008D0000-0x00000000008EA000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe family_xworm behavioral1/memory/2000-35-0x00000000001F0000-0x000000000020A000-memory.dmp family_xworm behavioral1/memory/1100-39-0x0000000001140000-0x000000000115A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2116 powershell.exe 2936 powershell.exe 2588 powershell.exe 1768 powershell.exe -
Drops startup file 2 IoCs
Processes:
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\detektivhuedblyat.lnk 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\detektivhuedblyat.lnk 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe -
Executes dropped EXE 3 IoCs
Processes:
detektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exepid process 2000 detektivhuedblyat.exe 1100 detektivhuedblyat.exe 1832 detektivhuedblyat.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\detektivhuedblyat = "C:\\Users\\Admin\\AppData\\Roaming\\detektivhuedblyat.exe" 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exepid process 2116 powershell.exe 2936 powershell.exe 2588 powershell.exe 1768 powershell.exe 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exepowershell.exepowershell.exepowershell.exepowershell.exedetektivhuedblyat.exedetektivhuedblyat.exedetektivhuedblyat.exedescription pid process Token: SeDebugPrivilege 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe Token: SeDebugPrivilege 2000 detektivhuedblyat.exe Token: SeDebugPrivilege 1100 detektivhuedblyat.exe Token: SeDebugPrivilege 1832 detektivhuedblyat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exepid process 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exetaskeng.exedescription pid process target process PID 1736 wrote to memory of 2116 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2116 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2116 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2936 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2936 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2936 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2588 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2588 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2588 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 1768 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 1768 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 1768 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe powershell.exe PID 1736 wrote to memory of 2840 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe schtasks.exe PID 1736 wrote to memory of 2840 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe schtasks.exe PID 1736 wrote to memory of 2840 1736 1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe schtasks.exe PID 1036 wrote to memory of 2000 1036 taskeng.exe detektivhuedblyat.exe PID 1036 wrote to memory of 2000 1036 taskeng.exe detektivhuedblyat.exe PID 1036 wrote to memory of 2000 1036 taskeng.exe detektivhuedblyat.exe PID 1036 wrote to memory of 1100 1036 taskeng.exe detektivhuedblyat.exe PID 1036 wrote to memory of 1100 1036 taskeng.exe detektivhuedblyat.exe PID 1036 wrote to memory of 1100 1036 taskeng.exe detektivhuedblyat.exe PID 1036 wrote to memory of 1832 1036 taskeng.exe detektivhuedblyat.exe PID 1036 wrote to memory of 1832 1036 taskeng.exe detektivhuedblyat.exe PID 1036 wrote to memory of 1832 1036 taskeng.exe detektivhuedblyat.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe"C:\Users\Admin\AppData\Local\Temp\1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'detektivhuedblyat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "detektivhuedblyat" /tr "C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe"2⤵
- Creates scheduled task(s)
PID:2840
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2A6F9F5E-CA1D-42CC-9DEC-74771C5B6EE1} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exeC:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54c3539367fe5df6d88d7d64121737468
SHA1a121c632239ab62418bdd90435bff5c660c9c0a1
SHA256b518efae901951efc40cdb675f2c6a3214a5d6b90c192b860e2d1a7adc6cb57b
SHA51278f691bbbe7e580aa2026922e9e793e7aac56e99cfe48a0b18d4bc3b2358208bc40c15e0cd75634fc7432528068d29b1a8c1f9b7033998371d2616b8210c7cb0
-
Filesize
82KB
MD5b107fbdbd7e5a97172b3974216a78886
SHA1410f9c227a901e2721fd4471e8a5069bd6af43da
SHA2561ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2
SHA512b7485652c502a95a258d106166419dc3679e8a69906b7634dc440db9fa3db506a1c5597024fa0b275b556dbce55f51877bfef6d779817a0c83f51395bc734de6