Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 13:20
Behavioral task
behavioral1
Sample
401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe
Resource
win10v2004-20240508-en
General
-
Target
401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe
-
Size
79KB
-
MD5
f1e41321cd4394089842e5121d5cb649
-
SHA1
96e3aff8a0eecda81e8d0b10323a1680b1136387
-
SHA256
401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad
-
SHA512
243adaeca82d89fa982c839c0b730b26e32a228d8e493edb04508f416b262334263c435fead1bffa3ad54a2b574e99cae2fa82d13d2d0c3dbca28c5184f4c9e3
-
SSDEEP
1536:IU8SlJ3N8bspa09DfVtHbRZuBDXcCK68u2yOeYdXGnE1B:cSlJrDHbRZMDXUmO9Wn6B
Malware Config
Extracted
xworm
listing-trackbacks.gl.at.ply.gg:8848
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral1/memory/2084-1-0x0000000001360000-0x000000000137A000-memory.dmp family_xworm behavioral1/files/0x000d00000001430e-31.dat family_xworm behavioral1/memory/1432-33-0x0000000000330000-0x000000000034A000-memory.dmp family_xworm behavioral1/memory/1056-38-0x00000000002F0000-0x000000000030A000-memory.dmp family_xworm behavioral1/memory/772-40-0x00000000000F0000-0x000000000010A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2076 powershell.exe 2448 powershell.exe 2960 powershell.exe 2496 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe -
Executes dropped EXE 3 IoCs
pid Process 1432 TLauncher 1056 TLauncher 772 TLauncher -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2476 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2076 powershell.exe 2448 powershell.exe 2960 powershell.exe 2496 powershell.exe 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2448 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe Token: SeDebugPrivilege 1432 TLauncher Token: SeDebugPrivilege 1056 TLauncher Token: SeDebugPrivilege 772 TLauncher -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2076 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 29 PID 2084 wrote to memory of 2076 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 29 PID 2084 wrote to memory of 2076 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 29 PID 2084 wrote to memory of 2448 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 31 PID 2084 wrote to memory of 2448 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 31 PID 2084 wrote to memory of 2448 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 31 PID 2084 wrote to memory of 2960 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 33 PID 2084 wrote to memory of 2960 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 33 PID 2084 wrote to memory of 2960 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 33 PID 2084 wrote to memory of 2496 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 35 PID 2084 wrote to memory of 2496 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 35 PID 2084 wrote to memory of 2496 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 35 PID 2084 wrote to memory of 2476 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 37 PID 2084 wrote to memory of 2476 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 37 PID 2084 wrote to memory of 2476 2084 401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe 37 PID 276 wrote to memory of 1432 276 taskeng.exe 40 PID 276 wrote to memory of 1432 276 taskeng.exe 40 PID 276 wrote to memory of 1432 276 taskeng.exe 40 PID 276 wrote to memory of 1056 276 taskeng.exe 43 PID 276 wrote to memory of 1056 276 taskeng.exe 43 PID 276 wrote to memory of 1056 276 taskeng.exe 43 PID 276 wrote to memory of 772 276 taskeng.exe 44 PID 276 wrote to memory of 772 276 taskeng.exe 44 PID 276 wrote to memory of 772 276 taskeng.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe"C:\Users\Admin\AppData\Local\Temp\401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"2⤵
- Creates scheduled task(s)
PID:2476
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D1E76FF2-2E9C-478D-8442-1B36618C40EB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Users\Admin\AppData\Roaming\TLauncherC:\Users\Admin\AppData\Roaming\TLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Users\Admin\AppData\Roaming\TLauncherC:\Users\Admin\AppData\Roaming\TLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Users\Admin\AppData\Roaming\TLauncherC:\Users\Admin\AppData\Roaming\TLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58ecddd26cad16d55045a731fd861f104
SHA10ac14606e024ac27873139fa5162220df07c2048
SHA2565e8f255af7604d2076c91b24c70656cbe44611d3a9197f9a1c43e06fd8a8e785
SHA51269abf384f8e035ea06cb3de33e428d30505f617b26cbed44665195848741052580fcae679aa2d0c0ebfc3c63dfe13c0754e2c8ad87b7ea7bb8222ff96997c5be
-
Filesize
79KB
MD5f1e41321cd4394089842e5121d5cb649
SHA196e3aff8a0eecda81e8d0b10323a1680b1136387
SHA256401c04370ccefbc9fc186f227d7dcb029c2dfa23c8a77011abe51305471247ad
SHA512243adaeca82d89fa982c839c0b730b26e32a228d8e493edb04508f416b262334263c435fead1bffa3ad54a2b574e99cae2fa82d13d2d0c3dbca28c5184f4c9e3