Analysis
-
max time kernel
102s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
проверка.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
проверка.rar
Resource
win10v2004-20240226-en
General
-
Target
проверка.rar
-
Size
67KB
-
MD5
e89a677ddfa8a60aeb45e72531e46847
-
SHA1
ae5f8093367716bf77003276f9886e6869fa9b19
-
SHA256
0405ea85262008c736e2113f4fbfa1b9eadc1e59fea50737ed5edb4326f686a9
-
SHA512
86d138e41045c77251d88e9a93649ce5591c3c743a026e8d68923b89c0a7e1b9adb04ffeb64869025c5599544dc03d815b9594392a2869e87753d80a7225796c
-
SSDEEP
1536:gSQMWjVGooE2vo7Ugl77wYAMHWwHVBhxmnZPVA5H:dQGob2vKl5HHvJy2H
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:65468
speed-wheat.gl.at.ply.gg:65468
XWorm V5.2:123
-
Install_directory
%AppData%
-
install_file
Delta.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x000900000001441e-26.dat family_xworm behavioral1/memory/2492-28-0x00000000003B0000-0x00000000003D0000-memory.dmp family_xworm behavioral1/memory/2416-60-0x0000000000F10000-0x0000000000F30000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 888 powershell.exe 2404 powershell.exe 2396 powershell.exe 472 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk проверка.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk проверка.exe -
Executes dropped EXE 3 IoCs
pid Process 2492 проверка.exe 2416 Delta.exe 2520 Delta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" проверка.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2404 powershell.exe 2396 powershell.exe 472 powershell.exe 888 powershell.exe 2492 проверка.exe 2492 проверка.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 2956 7zFM.exe Token: 35 2956 7zFM.exe Token: SeSecurityPrivilege 2956 7zFM.exe Token: SeDebugPrivilege 2492 проверка.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 472 powershell.exe Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 2492 проверка.exe Token: SeDebugPrivilege 2416 Delta.exe Token: SeDebugPrivilege 2520 Delta.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2956 7zFM.exe 2956 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2492 проверка.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2956 2032 cmd.exe 29 PID 2032 wrote to memory of 2956 2032 cmd.exe 29 PID 2032 wrote to memory of 2956 2032 cmd.exe 29 PID 2492 wrote to memory of 2404 2492 проверка.exe 32 PID 2492 wrote to memory of 2404 2492 проверка.exe 32 PID 2492 wrote to memory of 2404 2492 проверка.exe 32 PID 2492 wrote to memory of 2396 2492 проверка.exe 34 PID 2492 wrote to memory of 2396 2492 проверка.exe 34 PID 2492 wrote to memory of 2396 2492 проверка.exe 34 PID 2492 wrote to memory of 472 2492 проверка.exe 36 PID 2492 wrote to memory of 472 2492 проверка.exe 36 PID 2492 wrote to memory of 472 2492 проверка.exe 36 PID 2492 wrote to memory of 888 2492 проверка.exe 38 PID 2492 wrote to memory of 888 2492 проверка.exe 38 PID 2492 wrote to memory of 888 2492 проверка.exe 38 PID 2492 wrote to memory of 2320 2492 проверка.exe 40 PID 2492 wrote to memory of 2320 2492 проверка.exe 40 PID 2492 wrote to memory of 2320 2492 проверка.exe 40 PID 2620 wrote to memory of 2416 2620 taskeng.exe 46 PID 2620 wrote to memory of 2416 2620 taskeng.exe 46 PID 2620 wrote to memory of 2416 2620 taskeng.exe 46 PID 2620 wrote to memory of 2520 2620 taskeng.exe 47 PID 2620 wrote to memory of 2520 2620 taskeng.exe 47 PID 2620 wrote to memory of 2520 2620 taskeng.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\проверка.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\проверка.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2956
-
-
C:\Users\Admin\Desktop\проверка.exe"C:\Users\Admin\Desktop\проверка.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\проверка.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'проверка.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"2⤵
- Creates scheduled task(s)
PID:2320
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {57585404-243D-4455-BA87-EADB3568486E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\Delta.exeC:\Users\Admin\AppData\Roaming\Delta.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5790f9db32a0173294c7f605c6f929f2c
SHA14b9033bdba7247dbae89cec4592cbd671f67ca50
SHA2565615102f3b66d382b953889186f6813295ef28e31082179c9a5cf9e9096901ee
SHA512028237ccc284139547af8eda177e869f0f900b7a19c29ade7b57e57c19f545b1372b8ba7fb011626dbc064fd2ef80db027a392a5a6bb0e4a60514bb789befb68
-
Filesize
98KB
MD569c00aa1f2cecc09093eec932c788209
SHA12bcdc2f36469087ec60acc0b6d3e47fde03d0f6c
SHA256c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2
SHA5128bc1e413998b4c6ff77798561097fbec6c5c52aec560a62c73025739157cf3dc4a06d3d645cc582eb88533166a2373f92dc3332084036966491b9934cc3ab214