Analysis

  • max time kernel
    89s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 02:04

Errors

Reason
Machine shutdown

General

  • Target

    Stand.Launchpad.exe

  • Size

    212KB

  • MD5

    22ae86c6104a84186ae0c01df1e7abc4

  • SHA1

    b863e83a52093041dc3542a4ae831a04f2598a76

  • SHA256

    89f5545ab55f3eded4fc73b6dcc252d642c507f19d259618bc3464f30314fc57

  • SHA512

    86dc9377aa9a108fbb6fbe780c14ee82f670cd1ef53a5279e5d58b512a438a63043547148d6fef1e6a1029a307b696f2936ea7556d6926154e410e64ddb078d7

  • SSDEEP

    3072:IrT7Qg5ltZ2fWGp6Oc7bio0/T4RvdVJUXJV8I2nyV:4T7Qg6uGsOc7bq74gX78vny

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:40971

us3.localto.net:40971

Name1442-40971.portmap.host:40971

Attributes
  • Install_directory

    %Temp%

  • install_file

    Stand.exe

  • telegram

    https://api.telegram.org/bot6916721041:AAGsGXyaplDWQ9HJlE88Z36KtBFClSB3E20

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe
    "C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1116
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2460
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2264
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2836
      • C:\Windows\system32\shutdown.exe
        shutdown.exe /f /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
    • C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
      "C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1880
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A760FDA5-BF3B-49B6-8F43-251A80E80863} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1904
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2160
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Calamity,_Inc\Stand.Launchpad.exe_Url_rxanxxbu4srmj115yvji3p4n1zoatvms\1.9.0.0\user.config

        Filesize

        946B

        MD5

        b4ae24f20e59e454d57443d663a7581e

        SHA1

        68ab33e7fcea8bf79d76728fc49338d0d10a12f6

        SHA256

        8409dd0aa292b3bf50903a7ca1a1a0d6697d5c7b0ed3d1c5e43ebdf6f82db074

        SHA512

        25a7cbc382609d298ecaedea567231ac6ba0856bc523550912fd7b8393a29664ad68e9490dff0ff25b18b7a018476798c4df1000ebc99174bb6f2d5604e383f5

      • C:\Users\Admin\AppData\Local\Calamity,_Inc\Stand.Launchpad.exe_Url_rxanxxbu4srmj115yvji3p4n1zoatvms\1.9.0.0\user.config

        Filesize

        1KB

        MD5

        4914bef93f236a5cb24b4c07e9d4a98a

        SHA1

        b53f8fb945a449dd8a76d4412c5439b29b929b9e

        SHA256

        0abb6c072277956c8e3d6810dc9d9795544098f46a1fc79ab2e39c3f70d84a5a

        SHA512

        3242dbf1f58263ab1409d558b5ba1846e235da17246f1abbab768ec1ed449367e30c6d17d4986aa117c42ea225e87ff2c438d46765f1b5841e3a5b9b571ccb10

      • C:\Users\Admin\AppData\Local\Temp\Tar24B7.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        2251043518b592782c5d272c73eed406

        SHA1

        3d4bd082d95be4075f0ecf072e3524ca7da41d35

        SHA256

        efd81770646b127e6dd76919ab78c3553b3b8183c6fa9edf95d4146baad66865

        SHA512

        2413844bbecf182d8571e4f5fb9f4a0654a1cc441843dc55b96dceb9afcae8720473bd8f57fa4cc69ac1f5a3b3ad3b6880217bf1fb346f73d71b85f70154207b

      • C:\Users\Admin\AppData\Roaming\XClient.exe

        Filesize

        107KB

        MD5

        e685cc4873452d489409e0bbd16dca9b

        SHA1

        43394bfd90e8a4cb010ec9aeace520f18d981a9c

        SHA256

        cd6e5a6025710aeee5a7b805d370f16bd1ded7bb5d4ffa1f8e7241c07ca05ac5

        SHA512

        73d1efa4223f6f596f7036022bc91ca54b24e8befc3c6b1ea83942edf0e5746ecaf3394b3ae0ce1e64155a589722db654b34a92ce67f7f67b52651aacf536c27

      • \??\PIPE\srvsvc

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • \Users\Admin\AppData\Roaming\Stand.Launchpad.exe

        Filesize

        74KB

        MD5

        9c6b82e8191fe81dc873b9aa936eafe3

        SHA1

        fe0813eabfcd7f6c0c62ef01a327b0f1e222119f

        SHA256

        87403d832ec357593e22d9fe211daa9f22964b3ecc59cd68a312fe3b8bc9f556

        SHA512

        d122c04a250f285521fce7c12f6dc2971ad0e7f24c60350b99a128e96160c6da06834303ad9a485be833165752265e083c747c656bc62d854b2be4c41e89edec

      • memory/1116-62-0x000000001B780000-0x000000001BA62000-memory.dmp

        Filesize

        2.9MB

      • memory/1116-63-0x0000000001E80000-0x0000000001E88000-memory.dmp

        Filesize

        32KB

      • memory/1572-91-0x0000000000F80000-0x0000000000FA0000-memory.dmp

        Filesize

        128KB

      • memory/1880-14-0x000000013FB70000-0x000000013FB86000-memory.dmp

        Filesize

        88KB

      • memory/1988-69-0x000000001B430000-0x000000001B712000-memory.dmp

        Filesize

        2.9MB

      • memory/1988-70-0x0000000002240000-0x0000000002248000-memory.dmp

        Filesize

        32KB

      • memory/2968-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

        Filesize

        4KB

      • memory/2968-1-0x0000000000CC0000-0x0000000000CFA000-memory.dmp

        Filesize

        232KB

      • memory/2992-15-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

        Filesize

        9.9MB

      • memory/2992-87-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

        Filesize

        9.9MB

      • memory/2992-92-0x0000000000D50000-0x0000000000D5A000-memory.dmp

        Filesize

        40KB

      • memory/2992-12-0x0000000001090000-0x00000000010B0000-memory.dmp

        Filesize

        128KB

      • memory/2992-106-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

        Filesize

        9.9MB