Analysis
-
max time kernel
1047s -
max time network
1041s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 14:20
Behavioral task
behavioral1
Sample
Pm2N2C2ndXU2J.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Pm2N2C2ndXU2J.exe
Resource
win10v2004-20240508-en
General
-
Target
Pm2N2C2ndXU2J.exe
-
Size
85KB
-
MD5
5c6fef1fff51ccb0110e57777177bc84
-
SHA1
807be583f49b7512a8e1aac11d6c2475028c7abf
-
SHA256
17edbd6b374bc695acd4f5e9e12ff27d7bca977ee06db54012388dfe7b3e5cc8
-
SHA512
02795e12e22853a506db78f2f9960fe90904605dcbadd20b97994cb8db35be2f516ce0e37a5d3509ccf4a2c581ac21b74f9facb46427bc633a061d56816a13af
-
SSDEEP
1536:EyM6UKCWBzEisHQFU5JmxdF+bGN0d/KSI6dMOk0QuNPDUz:EMBVxDUi+bGQNQOk0QYO
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:45758
ads-enabled.gl.at.ply.gg:45758
-
Install_directory
%AppData%
-
install_file
detcvto.exe
Signatures
-
Detect Xworm Payload 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2256-1-0x0000000000340000-0x000000000035C000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\detcvto.exe family_xworm behavioral1/memory/2380-37-0x0000000000070000-0x000000000008C000-memory.dmp family_xworm behavioral1/memory/1560-39-0x0000000000A50000-0x0000000000A6C000-memory.dmp family_xworm behavioral1/memory/1808-41-0x0000000000D60000-0x0000000000D7C000-memory.dmp family_xworm behavioral1/memory/3044-44-0x00000000002B0000-0x00000000002CC000-memory.dmp family_xworm behavioral1/memory/1496-46-0x0000000000F60000-0x0000000000F7C000-memory.dmp family_xworm behavioral1/memory/2032-49-0x0000000001370000-0x000000000138C000-memory.dmp family_xworm behavioral1/memory/2532-52-0x0000000000090000-0x00000000000AC000-memory.dmp family_xworm behavioral1/memory/2812-54-0x0000000000220000-0x000000000023C000-memory.dmp family_xworm behavioral1/memory/760-56-0x00000000001B0000-0x00000000001CC000-memory.dmp family_xworm behavioral1/memory/1512-58-0x0000000000180000-0x000000000019C000-memory.dmp family_xworm behavioral1/memory/1468-60-0x0000000001330000-0x000000000134C000-memory.dmp family_xworm behavioral1/memory/2840-63-0x00000000000D0000-0x00000000000EC000-memory.dmp family_xworm behavioral1/memory/1812-65-0x0000000000C20000-0x0000000000C3C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2096 powershell.exe 2696 powershell.exe 2624 powershell.exe 2508 powershell.exe -
Drops startup file 2 IoCs
Processes:
Pm2N2C2ndXU2J.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\detcvto.lnk Pm2N2C2ndXU2J.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\detcvto.lnk Pm2N2C2ndXU2J.exe -
Executes dropped EXE 17 IoCs
Processes:
detcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exepid process 2380 detcvto.exe 1560 detcvto.exe 1808 detcvto.exe 520 detcvto.exe 3044 detcvto.exe 1496 detcvto.exe 376 detcvto.exe 2032 detcvto.exe 2400 detcvto.exe 2532 detcvto.exe 2812 detcvto.exe 760 detcvto.exe 1512 detcvto.exe 1468 detcvto.exe 584 detcvto.exe 2840 detcvto.exe 1812 detcvto.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Pm2N2C2ndXU2J.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\detcvto = "C:\\Users\\Admin\\AppData\\Roaming\\detcvto.exe" Pm2N2C2ndXU2J.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exePm2N2C2ndXU2J.exepid process 2096 powershell.exe 2696 powershell.exe 2624 powershell.exe 2508 powershell.exe 2256 Pm2N2C2ndXU2J.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
Pm2N2C2ndXU2J.exepowershell.exepowershell.exepowershell.exepowershell.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedetcvto.exedescription pid process Token: SeDebugPrivilege 2256 Pm2N2C2ndXU2J.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2256 Pm2N2C2ndXU2J.exe Token: SeDebugPrivilege 2380 detcvto.exe Token: SeDebugPrivilege 1560 detcvto.exe Token: SeDebugPrivilege 1808 detcvto.exe Token: SeDebugPrivilege 520 detcvto.exe Token: SeDebugPrivilege 3044 detcvto.exe Token: SeDebugPrivilege 1496 detcvto.exe Token: SeDebugPrivilege 376 detcvto.exe Token: SeDebugPrivilege 2032 detcvto.exe Token: SeDebugPrivilege 2400 detcvto.exe Token: SeDebugPrivilege 2532 detcvto.exe Token: SeDebugPrivilege 2812 detcvto.exe Token: SeDebugPrivilege 760 detcvto.exe Token: SeDebugPrivilege 1512 detcvto.exe Token: SeDebugPrivilege 1468 detcvto.exe Token: SeDebugPrivilege 584 detcvto.exe Token: SeDebugPrivilege 2840 detcvto.exe Token: SeDebugPrivilege 1812 detcvto.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Pm2N2C2ndXU2J.exepid process 2256 Pm2N2C2ndXU2J.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Pm2N2C2ndXU2J.exetaskeng.exedescription pid process target process PID 2256 wrote to memory of 2096 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2096 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2096 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2696 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2696 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2696 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2624 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2624 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2624 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2508 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2508 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2508 2256 Pm2N2C2ndXU2J.exe powershell.exe PID 2256 wrote to memory of 2808 2256 Pm2N2C2ndXU2J.exe schtasks.exe PID 2256 wrote to memory of 2808 2256 Pm2N2C2ndXU2J.exe schtasks.exe PID 2256 wrote to memory of 2808 2256 Pm2N2C2ndXU2J.exe schtasks.exe PID 1816 wrote to memory of 2380 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2380 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2380 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1560 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1560 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1560 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1808 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1808 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1808 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 520 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 520 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 520 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 3044 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 3044 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 3044 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1496 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1496 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1496 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 376 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 376 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 376 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2032 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2032 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2032 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2400 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2400 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2400 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2532 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2532 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2532 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2812 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2812 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2812 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 760 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 760 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 760 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1512 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1512 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1512 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1468 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1468 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1468 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 584 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 584 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 584 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2840 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2840 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 2840 1816 taskeng.exe detcvto.exe PID 1816 wrote to memory of 1812 1816 taskeng.exe detcvto.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pm2N2C2ndXU2J.exe"C:\Users\Admin\AppData\Local\Temp\Pm2N2C2ndXU2J.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Pm2N2C2ndXU2J.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Pm2N2C2ndXU2J.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\detcvto.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'detcvto.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "detcvto" /tr "C:\Users\Admin\AppData\Roaming\detcvto.exe"2⤵
- Creates scheduled task(s)
PID:2808
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE289E71-6608-485D-B4D2-084DB89125B0} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Users\Admin\AppData\Roaming\detcvto.exeC:\Users\Admin\AppData\Roaming\detcvto.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD512bcee4b192b9af5ffb3b116cdcf877f
SHA1c334acfc2e7082f5fbcf70d3b2a140d5cb8f948c
SHA256ca3986499372c37c2f789f8ec4fb68d9e9ab1d2d8f0f8e9d2b64ec4e3e5f4a6b
SHA5129ae23eaed9dfbcf41e4fb926546cd94eb3581d4795c1a64db23f2e227e58a8243c3c31d6ed4f16ade7ef1873b21f57eb0b7abd8665e5ba62346753ec0770c60f
-
Filesize
85KB
MD55c6fef1fff51ccb0110e57777177bc84
SHA1807be583f49b7512a8e1aac11d6c2475028c7abf
SHA25617edbd6b374bc695acd4f5e9e12ff27d7bca977ee06db54012388dfe7b3e5cc8
SHA51202795e12e22853a506db78f2f9960fe90904605dcbadd20b97994cb8db35be2f516ce0e37a5d3509ccf4a2c581ac21b74f9facb46427bc633a061d56816a13af