Analysis
-
max time kernel
52s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 15:31
Behavioral task
behavioral1
Sample
читы на майн.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
читы на майн.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
читы на майн.exe
-
Size
39KB
-
MD5
dfc191c2d6414fbefcda695fedcac614
-
SHA1
a2f01a5c1aa6da85d2d3593b71b509f50a880367
-
SHA256
8fa8e02a32db4626290b784d771e051ad9d12f396c4e95267d8b072835e81be3
-
SHA512
59fd4f6d6384b3df8eb67b47477e0474053ca30dff6a4bcf057bb2f8fb2a8a57eb4c11d8308d410290d55cde3bb47dd654eef9a235787a3b3e86103e9dfff9f2
-
SSDEEP
768:WG7+qmT8ztyh6pwDYvCL2v6hCuuJf27iJ1fFWPG9/T6OOwhbjib5:VfmT8ztyh6pwDnKwCuuJfBFv9/T6OOwY
Malware Config
Extracted
xworm
5.0
20.ip.gl.ply.gg:4219
sGAsjjcwpIJWoflZ
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1032-34-0x000000001AF70000-0x000000001AF7E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1032-1-0x0000000001370000-0x0000000001380000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2564 powershell.exe 2584 powershell.exe 2456 powershell.exe 3036 powershell.exe -
Drops startup file 2 IoCs
Processes:
читы на майн.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk читы на майн.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk читы на майн.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
читы на майн.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" читы на майн.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeчиты на майн.exepid process 3036 powershell.exe 2564 powershell.exe 2584 powershell.exe 2456 powershell.exe 1032 читы на майн.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
читы на майн.exepowershell.exepowershell.exepowershell.exepowershell.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1032 читы на майн.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 1032 читы на майн.exe Token: SeShutdownPrivilege 2892 shutdown.exe Token: SeRemoteShutdownPrivilege 2892 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
читы на майн.exepid process 1032 читы на майн.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
читы на майн.exedescription pid process target process PID 1032 wrote to memory of 3036 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 3036 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 3036 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2564 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2564 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2564 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2584 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2584 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2584 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2456 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2456 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2456 1032 читы на майн.exe powershell.exe PID 1032 wrote to memory of 2124 1032 читы на майн.exe schtasks.exe PID 1032 wrote to memory of 2124 1032 читы на майн.exe schtasks.exe PID 1032 wrote to memory of 2124 1032 читы на майн.exe schtasks.exe PID 1032 wrote to memory of 2892 1032 читы на майн.exe shutdown.exe PID 1032 wrote to memory of 2892 1032 читы на майн.exe shutdown.exe PID 1032 wrote to memory of 2892 1032 читы на майн.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\читы на майн.exe"C:\Users\Admin\AppData\Local\Temp\читы на майн.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы на майн.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы на майн.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
PID:2124
-
-
C:\Windows\system32\shutdown.exeshutdown.exe /f /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:752
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ee80a6b1a7b4d496309b12b8b1ab4d9d
SHA11f8c15075af43ed8813005c4cc95a48c87bf5d32
SHA256704cf4a9fec4d48d3a6e3ec31eb00ef5bde2cf7b7c2a77a7afe218acdc63b3bc
SHA5127785fd2475774c217725443d3994528936b3602ee074b72f7b483f9eb333d76472dc25a65ca2168281ef84579c49dcbfce6445d155bb2199d75b8f086e55a8f8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e