Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 03:11
Behavioral task
behavioral1
Sample
KVRT.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
KVRT.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
KVRT.exe
-
Size
95KB
-
MD5
caacc00a3a1be01e99f29abcf5f242c4
-
SHA1
2605c5337c15fda32deafe27d49baf34ab892561
-
SHA256
209e122072c202f0e7663407dbfb6c99774360ee736fcaad8a6998adbb06224e
-
SHA512
3ca0c64f573bb07b2b93ec2bbffe9684bbc6e764f0ab07d716d1d035897aaf0c6d71444e569deb28ef57067717b30f52b20eba5176c657fe0c69746778d852e1
-
SSDEEP
1536:ayKsbRFiE6iZdEOOQ/hAyBxbBTNk34Y6yRNZpqHOy+guV5V:dPRp6bPQG4xbB44gZgHOy+F5V
Malware Config
Extracted
xworm
127.0.0.1:40971
us3.localto.net:40971
Name1442-40971.portmap.host:40971
-
Install_directory
%Temp%
-
install_file
KVRT.exe
-
telegram
https://api.telegram.org/bot6916721041:AAGsGXyaplDWQ9HJlE88Z36KtBFClSB3E20
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-1-0x0000000000D30000-0x0000000000D4E000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2276 powershell.exe 2604 powershell.exe 2448 powershell.exe 2904 powershell.exe -
Drops startup file 2 IoCs
Processes:
KVRT.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk KVRT.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk KVRT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
KVRT.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\KVRT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KVRT.exe" KVRT.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
KVRT.exepid process 2040 KVRT.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeKVRT.exepid process 2276 powershell.exe 2604 powershell.exe 2448 powershell.exe 2904 powershell.exe 2040 KVRT.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
KVRT.exepowershell.exepowershell.exepowershell.exepowershell.exeKVRT.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2040 KVRT.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 2040 KVRT.exe Token: SeDebugPrivilege 1236 KVRT.exe Token: SeShutdownPrivilege 1708 shutdown.exe Token: SeRemoteShutdownPrivilege 1708 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
KVRT.exepid process 2040 KVRT.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
KVRT.exetaskeng.exedescription pid process target process PID 2040 wrote to memory of 2276 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2276 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2276 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2604 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2604 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2604 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2448 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2448 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2448 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2904 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2904 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2904 2040 KVRT.exe powershell.exe PID 2040 wrote to memory of 2748 2040 KVRT.exe schtasks.exe PID 2040 wrote to memory of 2748 2040 KVRT.exe schtasks.exe PID 2040 wrote to memory of 2748 2040 KVRT.exe schtasks.exe PID 2216 wrote to memory of 1236 2216 taskeng.exe KVRT.exe PID 2216 wrote to memory of 1236 2216 taskeng.exe KVRT.exe PID 2216 wrote to memory of 1236 2216 taskeng.exe KVRT.exe PID 2040 wrote to memory of 1708 2040 KVRT.exe shutdown.exe PID 2040 wrote to memory of 1708 2040 KVRT.exe shutdown.exe PID 2040 wrote to memory of 1708 2040 KVRT.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exe"C:\Users\Admin\AppData\Local\Temp\KVRT.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "KVRT" /tr "C:\Users\Admin\AppData\Local\Temp\KVRT.exe"2⤵
- Creates scheduled task(s)
PID:2748
-
-
C:\Windows\system32\shutdown.exeshutdown.exe /f /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D86AC03E-CA92-4624-9891-41C0CD1FFE2F} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2236
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5e41fa111432d4614bb0891e1c5cfe79c
SHA1c86f49e0bb88d195161fd0948b75dc57383dd430
SHA2566520a7f4d23b56f9c832cb9f77ba79e3846d42e0cc578211c9d48be2dda6b7a3
SHA512c4bb6ef2677f2071deb31b2645abce18b2afc517c7ec4ce264b57d4d90e5fbe1f75750fc90b15dc089588245c0c95969193b535a3cc94b511675e44e0ddbf7a7