Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 14:50
Behavioral task
behavioral1
Sample
проверка.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
проверка.exe
Resource
win10v2004-20240508-en
General
-
Target
проверка.exe
-
Size
102KB
-
MD5
58174445e23753c941d39dc0453ac348
-
SHA1
40e3a9047c49cbae6818297adcd03896d28364c2
-
SHA256
1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
-
SHA512
523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072
-
SSDEEP
1536:oBFpc8Z5dGYzabvawh+/C6vSX/QOcy/WPPqUs/uoDjSBSc7UtYVL:oa85dGCabvaw4/moOcy/R/1W0cgteL
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:65468
speed-wheat.gl.at.ply.gg:65468
XWorm V5.2:123
-
Install_directory
%AppData%
-
install_file
Delta.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2956-1-0x0000000001160000-0x0000000001180000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Delta.exe family_xworm behavioral1/memory/892-37-0x0000000000170000-0x0000000000190000-memory.dmp family_xworm behavioral1/memory/448-40-0x0000000000CF0000-0x0000000000D10000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3040 powershell.exe 1728 powershell.exe 2552 powershell.exe 2556 powershell.exe -
Drops startup file 2 IoCs
Processes:
проверка.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk проверка.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk проверка.exe -
Executes dropped EXE 2 IoCs
Processes:
Delta.exeDelta.exepid process 892 Delta.exe 448 Delta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
проверка.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" проверка.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2980 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeпроверка.exepid process 3040 powershell.exe 1728 powershell.exe 2552 powershell.exe 2556 powershell.exe 2956 проверка.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
проверка.exepowershell.exepowershell.exepowershell.exepowershell.exeDelta.exeDelta.exedescription pid process Token: SeDebugPrivilege 2956 проверка.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2552 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 2956 проверка.exe Token: SeDebugPrivilege 892 Delta.exe Token: SeDebugPrivilege 448 Delta.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
проверка.exepid process 2956 проверка.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
проверка.exetaskeng.execmd.exedescription pid process target process PID 2956 wrote to memory of 3040 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 3040 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 3040 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 1728 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 1728 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 1728 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 2552 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 2552 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 2552 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 2556 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 2556 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 2556 2956 проверка.exe powershell.exe PID 2956 wrote to memory of 2976 2956 проверка.exe schtasks.exe PID 2956 wrote to memory of 2976 2956 проверка.exe schtasks.exe PID 2956 wrote to memory of 2976 2956 проверка.exe schtasks.exe PID 808 wrote to memory of 892 808 taskeng.exe Delta.exe PID 808 wrote to memory of 892 808 taskeng.exe Delta.exe PID 808 wrote to memory of 892 808 taskeng.exe Delta.exe PID 808 wrote to memory of 448 808 taskeng.exe Delta.exe PID 808 wrote to memory of 448 808 taskeng.exe Delta.exe PID 808 wrote to memory of 448 808 taskeng.exe Delta.exe PID 2956 wrote to memory of 2128 2956 проверка.exe schtasks.exe PID 2956 wrote to memory of 2128 2956 проверка.exe schtasks.exe PID 2956 wrote to memory of 2128 2956 проверка.exe schtasks.exe PID 2956 wrote to memory of 2044 2956 проверка.exe cmd.exe PID 2956 wrote to memory of 2044 2956 проверка.exe cmd.exe PID 2956 wrote to memory of 2044 2956 проверка.exe cmd.exe PID 2044 wrote to memory of 2980 2044 cmd.exe timeout.exe PID 2044 wrote to memory of 2980 2044 cmd.exe timeout.exe PID 2044 wrote to memory of 2980 2044 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\проверка.exe"C:\Users\Admin\AppData\Local\Temp\проверка.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"2⤵
- Creates scheduled task(s)
PID:2976
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"2⤵PID:2128
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5947.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2980
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D38C6D4A-022A-4AF3-880A-9F1E578D1C82} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5259eff594d45d2875d77353537a74305
SHA1f025e57dd34d6b29c4b1408cbd6f65b423e88e25
SHA2566da6d3c453dab23d89ac8ba9393869058b89991f89bcf9b10410f694021e15ad
SHA512894434c26b25769f2fa4c6fac6b01d32bbdfa07227dce446c6f72a9219aece2da55981daec7b0ca4024828b39dbba546feeb279c2caacb6d9f8cac7b0325b3c1
-
Filesize
102KB
MD558174445e23753c941d39dc0453ac348
SHA140e3a9047c49cbae6818297adcd03896d28364c2
SHA2561e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
SHA512523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5277227b9261d4007356661ded33fa58e
SHA1d5dd033d733778491234ca36d120d0a0ac3809ba
SHA256c314be394551104a5fb498c3542afe1324b6dd265eec373d46f5a346da3363b9
SHA5124e8de59c43ed1b8fa8b93e5e60bdfe17925f794d918c0c302690915b2b9d9f684321003ef18083722e0ec23e0181e56dd003b43da25274f00e605ae17e32a856
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e