Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
08-06-2024 21:00
General
-
Target
2 лдшуте.exe
-
Size
77KB
-
MD5
632ab73920e2e8e8100d927ab00e12a5
-
SHA1
4676f206bb580f87589bb2e1cfa0270959534ae6
-
SHA256
a4ee1f41eada056a3c1802839d549de40fdbd7995a5940a8f7cb9fb9785b0e87
-
SHA512
21df86d3316712979b995844516bb12f86823cb96977e52c05b9b855aece6c9917ffee31d5ba4d415babc8290fa2a364ba3cb501b5724208676d077469a829db
-
SSDEEP
1536:Lo34pW06sYLtjyzCLfvbpdyqD546KMhb/ujSOHSNdEn:YrTo0vbpY85ca/CSOHS4n
Malware Config
Extracted
xworm
word-belize.gl.at.ply.gg:1678
-
Install_directory
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 55 IoCs
-
Suspicious use of SendNotifyMessage 55 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2 лдшуте.exe"C:\Users\Admin\AppData\Local\Temp\2 лдшуте.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2 лдшуте.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2 лдшуте.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\AppData\Roaming\system"2⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Roaming\systemC:\Users\Admin\AppData\Roaming\system1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\systemC:\Users\Admin\AppData\Roaming\system1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\system.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5797854a243216a8151b7bf335394c53f
SHA1e9963ea0aece462daae4a6ff2f9525268c7ff1c4
SHA25649c312b5bb740271b4fb126505bd4a806bda1afd7bc848d9023ef266a9d2c9b8
SHA51290e2ab3a579c387d4bd239a487994fc743fe358419b561ef2ae1cdedbedce534aa4806bdec4b97e0ef5439134014adaa9549560d3af58f7ce542564d0069d8ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e5663972c1caaba7088048911c758bf3
SHA13462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA2569f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c08aea9c78561a5f00398a723fdf2925
SHA12c880cbb5d02169a86bb9517ce2a0184cb177c6e
SHA25663d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7
SHA512d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y44pflv2.ld1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnkFilesize
742B
MD594c04159c0c4810f269fbe6175b25a42
SHA142ed79ca4dfba414b615292692ea3fd50d9534bb
SHA25689faaa39382631a7a939b4d27f8e9983f5dad13b863b87dc9a4e1eb7ce6936e6
SHA512eaff3529e09298a17be5fbb7281e0f5d6651af5cfe1fded29de5888001511d9a301d8bafc210303643e7f97e9ded14d0ab8bfa128ec282e37d1981039b71c53a
-
C:\Users\Admin\AppData\Roaming\systemFilesize
77KB
MD5632ab73920e2e8e8100d927ab00e12a5
SHA14676f206bb580f87589bb2e1cfa0270959534ae6
SHA256a4ee1f41eada056a3c1802839d549de40fdbd7995a5940a8f7cb9fb9785b0e87
SHA51221df86d3316712979b995844516bb12f86823cb96977e52c05b9b855aece6c9917ffee31d5ba4d415babc8290fa2a364ba3cb501b5724208676d077469a829db
-
memory/980-15-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/980-4-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/980-20-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/980-17-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/980-3-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/980-14-0x0000023B79320000-0x0000023B79342000-memory.dmpFilesize
136KB
-
memory/4020-64-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-75-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-69-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-63-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-65-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-70-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-72-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-71-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-74-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4020-73-0x000001BC71C00000-0x000001BC71C01000-memory.dmpFilesize
4KB
-
memory/4832-58-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/4832-16-0x00007FF9D5CB3000-0x00007FF9D5CB5000-memory.dmpFilesize
8KB
-
memory/4832-0-0x00007FF9D5CB3000-0x00007FF9D5CB5000-memory.dmpFilesize
8KB
-
memory/4832-2-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmpFilesize
10.8MB
-
memory/4832-1-0x0000000000250000-0x000000000026A000-memory.dmpFilesize
104KB