Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 01:30
Behavioral task
behavioral1
Sample
4d6f6d174d9c49b0fe5e98959e7eb65e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4d6f6d174d9c49b0fe5e98959e7eb65e.exe
Resource
win10v2004-20240226-en
General
-
Target
4d6f6d174d9c49b0fe5e98959e7eb65e.exe
-
Size
38KB
-
MD5
4d6f6d174d9c49b0fe5e98959e7eb65e
-
SHA1
21c18b4bfc0f13c72a472d004ec66f17c65b87e9
-
SHA256
17411b5f0a6618aab02247492f9ed3afad7fe7a4209a2355bf4b7c471ebca4a9
-
SHA512
18dfec2ab1760b0dd3d040a2e21f4de2fdba0e3decd594e0788a8c9fa098aba645f3bbca418657be99eb7a8ecebe924f1f59da6d9a1702e632079654c949a2be
-
SSDEEP
768:rPDWCCqCFyNRXGkUpQxZDHxmwb+XFyO9BHx6NO/hgDrl841:rPDWPFyNRXG+ZjIiAFT99x6NO/4l841
Malware Config
Extracted
xworm
5.0
by-mit.gl.at.ply.gg:3500
EHm1yEhPOyWLIzo4
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-1-0x00000000012F0000-0x0000000001300000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\program family_xworm behavioral1/memory/2036-32-0x0000000000BC0000-0x0000000000BD0000-memory.dmp family_xworm behavioral1/memory/2748-37-0x0000000000C70000-0x0000000000C80000-memory.dmp family_xworm behavioral1/memory/1560-39-0x0000000000360000-0x0000000000370000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1964 powershell.exe 2532 powershell.exe 2412 powershell.exe 2240 powershell.exe -
Drops startup file 2 IoCs
Processes:
4d6f6d174d9c49b0fe5e98959e7eb65e.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk 4d6f6d174d9c49b0fe5e98959e7eb65e.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk 4d6f6d174d9c49b0fe5e98959e7eb65e.exe -
Executes dropped EXE 3 IoCs
Processes:
programprogramprogrampid process 2036 program 2748 program 1560 program -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4d6f6d174d9c49b0fe5e98959e7eb65e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\program = "C:\\Users\\Admin\\AppData\\Roaming\\program" 4d6f6d174d9c49b0fe5e98959e7eb65e.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2240 powershell.exe 1964 powershell.exe 2532 powershell.exe 2412 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
4d6f6d174d9c49b0fe5e98959e7eb65e.exepowershell.exepowershell.exepowershell.exepowershell.exeprogramprogramprogramdescription pid process Token: SeDebugPrivilege 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe Token: SeDebugPrivilege 2036 program Token: SeDebugPrivilege 2748 program Token: SeDebugPrivilege 1560 program -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
4d6f6d174d9c49b0fe5e98959e7eb65e.exetaskeng.exedescription pid process target process PID 2008 wrote to memory of 2240 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2240 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2240 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 1964 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 1964 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 1964 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2532 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2532 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2532 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2412 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2412 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2412 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe powershell.exe PID 2008 wrote to memory of 2372 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe schtasks.exe PID 2008 wrote to memory of 2372 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe schtasks.exe PID 2008 wrote to memory of 2372 2008 4d6f6d174d9c49b0fe5e98959e7eb65e.exe schtasks.exe PID 560 wrote to memory of 2036 560 taskeng.exe program PID 560 wrote to memory of 2036 560 taskeng.exe program PID 560 wrote to memory of 2036 560 taskeng.exe program PID 560 wrote to memory of 2748 560 taskeng.exe program PID 560 wrote to memory of 2748 560 taskeng.exe program PID 560 wrote to memory of 2748 560 taskeng.exe program PID 560 wrote to memory of 1560 560 taskeng.exe program PID 560 wrote to memory of 1560 560 taskeng.exe program PID 560 wrote to memory of 1560 560 taskeng.exe program -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d6f6d174d9c49b0fe5e98959e7eb65e.exe"C:\Users\Admin\AppData\Local\Temp\4d6f6d174d9c49b0fe5e98959e7eb65e.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4d6f6d174d9c49b0fe5e98959e7eb65e.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4d6f6d174d9c49b0fe5e98959e7eb65e.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\program'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'program'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "program" /tr "C:\Users\Admin\AppData\Roaming\program"2⤵
- Creates scheduled task(s)
PID:2372
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {25FD996B-012D-486B-A909-D30C30DB8320} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Roaming\programC:\Users\Admin\AppData\Roaming\program2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
C:\Users\Admin\AppData\Roaming\programC:\Users\Admin\AppData\Roaming\program2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Users\Admin\AppData\Roaming\programC:\Users\Admin\AppData\Roaming\program2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e1ead6df16ac7220ded7771a040bbaa2
SHA1b3164e71fd58752d86f05b34b526d15c7ee72830
SHA2565335d25af6329808750c91ce1584d11b4a19b53ca70927abde291ef572234f62
SHA512f5b2e5e1a9b6b8453adae4f881f749a412b0e906a33cd05d2efb10b987b770a7c71729e29e99c801cf99e1aeb1a753378efa1d685e25ab78ff8af34101a61726
-
Filesize
38KB
MD54d6f6d174d9c49b0fe5e98959e7eb65e
SHA121c18b4bfc0f13c72a472d004ec66f17c65b87e9
SHA25617411b5f0a6618aab02247492f9ed3afad7fe7a4209a2355bf4b7c471ebca4a9
SHA51218dfec2ab1760b0dd3d040a2e21f4de2fdba0e3decd594e0788a8c9fa098aba645f3bbca418657be99eb7a8ecebe924f1f59da6d9a1702e632079654c949a2be