Analysis
-
max time kernel
565s -
max time network
386s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
31-05-2024 09:00
Behavioral task
behavioral1
Sample
проверка.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
проверка.exe
Resource
win10-20240404-en
General
-
Target
проверка.exe
-
Size
102KB
-
MD5
58174445e23753c941d39dc0453ac348
-
SHA1
40e3a9047c49cbae6818297adcd03896d28364c2
-
SHA256
1e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
-
SHA512
523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072
-
SSDEEP
1536:oBFpc8Z5dGYzabvawh+/C6vSX/QOcy/WPPqUs/uoDjSBSc7UtYVL:oa85dGCabvaw4/moOcy/R/1W0cgteL
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:65468
speed-wheat.gl.at.ply.gg:65468
XWorm V5.2:123
-
Install_directory
%AppData%
-
install_file
Delta.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2676-0-0x0000000000820000-0x0000000000840000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Delta.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 216 powershell.exe 1584 powershell.exe 2192 powershell.exe 1296 powershell.exe -
Drops startup file 2 IoCs
Processes:
проверка.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk проверка.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk проверка.exe -
Executes dropped EXE 9 IoCs
Processes:
Delta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exeDelta.exepid process 3480 Delta.exe 3652 Delta.exe 1992 Delta.exe 2648 Delta.exe 4824 Delta.exe 3552 Delta.exe 4664 Delta.exe 868 Delta.exe 60 Delta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
проверка.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" проверка.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeпроверка.exepid process 216 powershell.exe 216 powershell.exe 216 powershell.exe 1584 powershell.exe 1584 powershell.exe 1584 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 2676 проверка.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
проверка.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2676 проверка.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeIncreaseQuotaPrivilege 216 powershell.exe Token: SeSecurityPrivilege 216 powershell.exe Token: SeTakeOwnershipPrivilege 216 powershell.exe Token: SeLoadDriverPrivilege 216 powershell.exe Token: SeSystemProfilePrivilege 216 powershell.exe Token: SeSystemtimePrivilege 216 powershell.exe Token: SeProfSingleProcessPrivilege 216 powershell.exe Token: SeIncBasePriorityPrivilege 216 powershell.exe Token: SeCreatePagefilePrivilege 216 powershell.exe Token: SeBackupPrivilege 216 powershell.exe Token: SeRestorePrivilege 216 powershell.exe Token: SeShutdownPrivilege 216 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeSystemEnvironmentPrivilege 216 powershell.exe Token: SeRemoteShutdownPrivilege 216 powershell.exe Token: SeUndockPrivilege 216 powershell.exe Token: SeManageVolumePrivilege 216 powershell.exe Token: 33 216 powershell.exe Token: 34 216 powershell.exe Token: 35 216 powershell.exe Token: 36 216 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeIncreaseQuotaPrivilege 1584 powershell.exe Token: SeSecurityPrivilege 1584 powershell.exe Token: SeTakeOwnershipPrivilege 1584 powershell.exe Token: SeLoadDriverPrivilege 1584 powershell.exe Token: SeSystemProfilePrivilege 1584 powershell.exe Token: SeSystemtimePrivilege 1584 powershell.exe Token: SeProfSingleProcessPrivilege 1584 powershell.exe Token: SeIncBasePriorityPrivilege 1584 powershell.exe Token: SeCreatePagefilePrivilege 1584 powershell.exe Token: SeBackupPrivilege 1584 powershell.exe Token: SeRestorePrivilege 1584 powershell.exe Token: SeShutdownPrivilege 1584 powershell.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeSystemEnvironmentPrivilege 1584 powershell.exe Token: SeRemoteShutdownPrivilege 1584 powershell.exe Token: SeUndockPrivilege 1584 powershell.exe Token: SeManageVolumePrivilege 1584 powershell.exe Token: 33 1584 powershell.exe Token: 34 1584 powershell.exe Token: 35 1584 powershell.exe Token: 36 1584 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeIncreaseQuotaPrivilege 2192 powershell.exe Token: SeSecurityPrivilege 2192 powershell.exe Token: SeTakeOwnershipPrivilege 2192 powershell.exe Token: SeLoadDriverPrivilege 2192 powershell.exe Token: SeSystemProfilePrivilege 2192 powershell.exe Token: SeSystemtimePrivilege 2192 powershell.exe Token: SeProfSingleProcessPrivilege 2192 powershell.exe Token: SeIncBasePriorityPrivilege 2192 powershell.exe Token: SeCreatePagefilePrivilege 2192 powershell.exe Token: SeBackupPrivilege 2192 powershell.exe Token: SeRestorePrivilege 2192 powershell.exe Token: SeShutdownPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeSystemEnvironmentPrivilege 2192 powershell.exe Token: SeRemoteShutdownPrivilege 2192 powershell.exe Token: SeUndockPrivilege 2192 powershell.exe Token: SeManageVolumePrivilege 2192 powershell.exe Token: 33 2192 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
проверка.exepid process 2676 проверка.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
проверка.exedescription pid process target process PID 2676 wrote to memory of 216 2676 проверка.exe powershell.exe PID 2676 wrote to memory of 216 2676 проверка.exe powershell.exe PID 2676 wrote to memory of 1584 2676 проверка.exe powershell.exe PID 2676 wrote to memory of 1584 2676 проверка.exe powershell.exe PID 2676 wrote to memory of 2192 2676 проверка.exe powershell.exe PID 2676 wrote to memory of 2192 2676 проверка.exe powershell.exe PID 2676 wrote to memory of 1296 2676 проверка.exe powershell.exe PID 2676 wrote to memory of 1296 2676 проверка.exe powershell.exe PID 2676 wrote to memory of 1984 2676 проверка.exe schtasks.exe PID 2676 wrote to memory of 1984 2676 проверка.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\проверка.exe"C:\Users\Admin\AppData\Local\Temp\проверка.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\проверка.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1296
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"2⤵
- Creates scheduled task(s)
PID:1984
-
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:3480
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:3652
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:1992
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:2648
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:4824
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:3552
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:4664
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:868
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe1⤵
- Executes dropped EXE
PID:60
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5fd41e1ba4835adec899ed7905d5039fd
SHA155c666452650cc077b47e615b84c622b4afc980d
SHA256f8edbfd136092e1db709454ca04b104453b2f5578f11112833b05a5b0a54181a
SHA5121601a9ee8bdcb83330adbef0a7060e4650f3243f0f7baa48f17af0f24859fea017f3fc5119a514f90162fcf5ce300359709cb1eb95200e33c153879421272b5b
-
Filesize
1KB
MD5bdb89e4e6bb7f27b7e8991124fdaca34
SHA1508ba7f68c8185214c131a33076b0743b332cdcd
SHA2563c2b94113c7d7de88d0015202b3d3a54883a9a79a8295f97fec36debaf2555b9
SHA5123278dab242e7fb5d8ad592874716f3187f6c05a7b62f7e64e9170a6515e91232cb04a7916adad7f1bd3fdfd939eb7ce041f5c2e8933f4d8449fe14433c359e58
-
Filesize
1KB
MD5f089ad0cb060f2a4ffb3d14964aba510
SHA1d9d819af321d0f1f446a0b36ea06de9146f36e9e
SHA2564ddfc128d83acbd6c5edab2b4a31bb62505a228ced3becb66fb587e5b3c9708d
SHA512aa43ed02096a33b06775864fab1aaabf38577399047b4065da2b3372b659e0691f0ce9b21ff1507cf863d72fc6413c38f2c6c0d1a5bb7fcb52e27637199dc258
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
102KB
MD558174445e23753c941d39dc0453ac348
SHA140e3a9047c49cbae6818297adcd03896d28364c2
SHA2561e5034d37e7751fb4039157219aee679bf76a8d3b0185a86c0d2255477a58171
SHA512523ef9adae27b83d87166be13e87944d3816cad08103b65ae2c964bf8828c0c949030e9e967d56b2bf40bba5b9466f8e4d21ccc220892c5f9365e2dd221fe072