Analysis
-
max time kernel
1798s -
max time network
1806s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 14:19
Behavioral task
behavioral1
Sample
проверка.exe
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
проверка.exe
Resource
android-33-x64-arm64-20240514-en
General
-
Target
проверка.exe
-
Size
102KB
-
MD5
58174445e23753c941d39dc0453ac348
-
SHA1
40e3a9047c49cbae6818297adcd03896d28364c2
-
SHA256
1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
-
SHA512
523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072
-
SSDEEP
1536:oBFpc8Z5dGYzabvawh+/C6vSX/QOcy/WPPqUs/uoDjSBSc7UtYVL:oa85dGCabvaw4/moOcy/R/1W0cgteL
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:65468
speed-wheat.gl.at.ply.gg:65468
XWorm V5.2:123
-
Install_directory
%AppData%
-
install_file
Delta.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3096-1-0x0000000000970000-0x0000000000990000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Delta.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4628 powershell.exe 1676 powershell.exe 3260 powershell.exe 4564 powershell.exe -
Drops startup file 2 IoCs
Processes:
проверка.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk проверка.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk проверка.exe -
Executes dropped EXE 30 IoCs
Processes:
Delta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exepid process 4512 Delta.exe 1008 Delta.exe 1752 Delta.exe 1344 Delta.exe 3500 Delta.exe 892 Delta.exe 3284 Delta.exe 1608 Delta.exe 3436 Delta.exe 2404 Delta.exe 1808 Delta.exe 2984 Delta.exe 4616 Delta.exe 940 Delta.exe 4348 Delta.exe 3168 Delta.exe 2552 Delta.exe 2936 Delta.exe 3352 Delta.exe 3088 Delta.exe 4736 Delta.exe 1312 Delta.exe 3436 Delta.exe 744 Delta.exe 3132 Delta.exe 240 Delta.exe 248 Delta.exe 2172 Delta.exe 2016 Delta.exe 2452 Delta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
проверка.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" проверка.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeпроверка.exepid process 4628 powershell.exe 4628 powershell.exe 1676 powershell.exe 1676 powershell.exe 3260 powershell.exe 3260 powershell.exe 4564 powershell.exe 4564 powershell.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe 3096 проверка.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
проверка.exepowershell.exepowershell.exepowershell.exepowershell.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exedescription pid process Token: SeDebugPrivilege 3096 проверка.exe Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 3096 проверка.exe Token: SeDebugPrivilege 4512 Delta.exe Token: SeDebugPrivilege 1008 Delta.exe Token: SeDebugPrivilege 1752 Delta.exe Token: SeDebugPrivilege 1344 Delta.exe Token: SeDebugPrivilege 3500 Delta.exe Token: SeDebugPrivilege 892 Delta.exe Token: SeDebugPrivilege 3284 Delta.exe Token: SeDebugPrivilege 1608 Delta.exe Token: SeDebugPrivilege 3436 Delta.exe Token: SeDebugPrivilege 2404 Delta.exe Token: SeDebugPrivilege 1808 Delta.exe Token: SeDebugPrivilege 2984 Delta.exe Token: SeDebugPrivilege 4616 Delta.exe Token: SeDebugPrivilege 940 Delta.exe Token: SeDebugPrivilege 4348 Delta.exe Token: SeDebugPrivilege 3168 Delta.exe Token: SeDebugPrivilege 2552 Delta.exe Token: SeDebugPrivilege 2936 Delta.exe Token: SeDebugPrivilege 3352 Delta.exe Token: SeDebugPrivilege 3088 Delta.exe Token: SeDebugPrivilege 4736 Delta.exe Token: SeDebugPrivilege 1312 Delta.exe Token: SeDebugPrivilege 3436 Delta.exe Token: SeDebugPrivilege 744 Delta.exe Token: SeDebugPrivilege 3132 Delta.exe Token: SeDebugPrivilege 240 Delta.exe Token: SeDebugPrivilege 248 Delta.exe Token: SeDebugPrivilege 2172 Delta.exe Token: SeDebugPrivilege 2016 Delta.exe Token: SeDebugPrivilege 2452 Delta.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
проверка.exepid process 3096 проверка.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
проверка.exedescription pid process target process PID 3096 wrote to memory of 4628 3096 проверка.exe powershell.exe PID 3096 wrote to memory of 4628 3096 проверка.exe powershell.exe PID 3096 wrote to memory of 1676 3096 проверка.exe powershell.exe PID 3096 wrote to memory of 1676 3096 проверка.exe powershell.exe PID 3096 wrote to memory of 3260 3096 проверка.exe powershell.exe PID 3096 wrote to memory of 3260 3096 проверка.exe powershell.exe PID 3096 wrote to memory of 4564 3096 проверка.exe powershell.exe PID 3096 wrote to memory of 4564 3096 проверка.exe powershell.exe PID 3096 wrote to memory of 2944 3096 проверка.exe schtasks.exe PID 3096 wrote to memory of 2944 3096 проверка.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\проверка.exe"C:\Users\Admin\AppData\Local\Temp\проверка.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"2⤵
- Creates scheduled task(s)
PID:2944
-
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3776
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:892
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:240
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:248
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD55ba388a6597d5e09191c2c88d2fdf598
SHA113516f8ec5a99298f6952438055c39330feae5d8
SHA256e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca
SHA512ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19
-
Filesize
944B
MD5687b3558d687becb30ad8f90997723cc
SHA1fb326d7d105aba4d26e1764e73fd124cad23f298
SHA2565283507c63132fdaf5d64bb0a09bcd6ae6d412a4df0be934268bf8e774207ece
SHA512f827d61fad06764cefbca1688b8b2df7c07a1080be42f524de9765650382db84151ee90dd74b6568ea6f5bc582399695ec2c1c598256076f2dc91ff250450abd
-
Filesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
Filesize
944B
MD564497dba662bee5d7ae7a3c76a72ed88
SHA1edc027042b9983f13d074ba9eed8b78e55e4152e
SHA256ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47
SHA51225da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
102KB
MD558174445e23753c941d39dc0453ac348
SHA140e3a9047c49cbae6818297adcd03896d28364c2
SHA2561e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
SHA512523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072