Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 14:48

General

  • Target

    1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe

  • Size

    82KB

  • MD5

    b107fbdbd7e5a97172b3974216a78886

  • SHA1

    410f9c227a901e2721fd4471e8a5069bd6af43da

  • SHA256

    1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2

  • SHA512

    b7485652c502a95a258d106166419dc3679e8a69906b7634dc440db9fa3db506a1c5597024fa0b275b556dbce55f51877bfef6d779817a0c83f51395bc734de6

  • SSDEEP

    1536:qih380x1gfPT9dOjquahM8+bEm3leW9Q6au4aOaQDb4mPMUf:NhVgf5EFWZ+bEmVeOcu4aOaQDb4va

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:45758

ads-enabled.gl.at.ply.gg:45758

Attributes
  • Install_directory

    %AppData%

  • install_file

    detektivhuedblyat.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe
    "C:\Users\Admin\AppData\Local\Temp\1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'detektivhuedblyat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "detektivhuedblyat" /tr "C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2840
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2A6F9F5E-CA1D-42CC-9DEC-74771C5B6EE1} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
      C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
      C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
      C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    4c3539367fe5df6d88d7d64121737468

    SHA1

    a121c632239ab62418bdd90435bff5c660c9c0a1

    SHA256

    b518efae901951efc40cdb675f2c6a3214a5d6b90c192b860e2d1a7adc6cb57b

    SHA512

    78f691bbbe7e580aa2026922e9e793e7aac56e99cfe48a0b18d4bc3b2358208bc40c15e0cd75634fc7432528068d29b1a8c1f9b7033998371d2616b8210c7cb0

  • C:\Users\Admin\AppData\Roaming\detektivhuedblyat.exe

    Filesize

    82KB

    MD5

    b107fbdbd7e5a97172b3974216a78886

    SHA1

    410f9c227a901e2721fd4471e8a5069bd6af43da

    SHA256

    1ddab0ffb27f81d57aa99aff590c9a603157724362315228bd47914be4dbf6d2

    SHA512

    b7485652c502a95a258d106166419dc3679e8a69906b7634dc440db9fa3db506a1c5597024fa0b275b556dbce55f51877bfef6d779817a0c83f51395bc734de6

  • memory/1100-39-0x0000000001140000-0x000000000115A000-memory.dmp

    Filesize

    104KB

  • memory/1736-31-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

    Filesize

    4KB

  • memory/1736-1-0x00000000008D0000-0x00000000008EA000-memory.dmp

    Filesize

    104KB

  • memory/1736-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

    Filesize

    4KB

  • memory/1736-36-0x000000001B370000-0x000000001B3F0000-memory.dmp

    Filesize

    512KB

  • memory/1736-30-0x000000001B370000-0x000000001B3F0000-memory.dmp

    Filesize

    512KB

  • memory/2000-35-0x00000000001F0000-0x000000000020A000-memory.dmp

    Filesize

    104KB

  • memory/2116-7-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

    Filesize

    2.9MB

  • memory/2116-8-0x0000000002060000-0x0000000002068000-memory.dmp

    Filesize

    32KB

  • memory/2116-6-0x00000000025B0000-0x0000000002630000-memory.dmp

    Filesize

    512KB

  • memory/2936-15-0x00000000022A0000-0x00000000022A8000-memory.dmp

    Filesize

    32KB

  • memory/2936-14-0x000000001B210000-0x000000001B4F2000-memory.dmp

    Filesize

    2.9MB