Analysis
-
max time kernel
453s -
max time network
1172s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-06-2024 17:49
Behavioral task
behavioral1
Sample
portmap.exe
Resource
win11-20240508-en
General
-
Target
portmap.exe
-
Size
37KB
-
MD5
65bdfee5e4d9099b10d35fd68a9b44cb
-
SHA1
20f380d3064186587069464becedadae24ad305a
-
SHA256
39ca4ba8dd7b0324302767752719eb5198b5cc52dcb14d05a3dbd0756fc543f9
-
SHA512
69350a193ab4c9d2ba6629f2265fff4f3e21e074ec3b02b5a972c9af21724af12aad669834677c7b9ae6d4c96a74044f04e95570643393cda80130febbc09186
-
SSDEEP
768:k5gTXwbLsAheofRhOUOe9tLFyc9PwO/h4Dy0I:k5gTgUAhHLOSF39PwO/T0I
Malware Config
Extracted
xworm
5.0
Jamalhacker-53065.portmap.io:53065
aJRZ58IZ9NkkHbDV
-
Install_directory
%Userprofile%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4840-1-0x00000000003C0000-0x00000000003D0000-memory.dmp family_xworm C:\Users\Admin\Windows backup family_xworm -
Drops startup file 2 IoCs
Processes:
portmap.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk portmap.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk portmap.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows backuppid process 1516 Windows backup -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
portmap.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows backup = "C:\\Users\\Admin\\Windows backup" portmap.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2836 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
portmap.exeWindows backupdescription pid process Token: SeDebugPrivilege 4840 portmap.exe Token: SeDebugPrivilege 4840 portmap.exe Token: SeDebugPrivilege 1516 Windows backup -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
portmap.execmd.exedescription pid process target process PID 4840 wrote to memory of 2440 4840 portmap.exe schtasks.exe PID 4840 wrote to memory of 2440 4840 portmap.exe schtasks.exe PID 4840 wrote to memory of 1188 4840 portmap.exe schtasks.exe PID 4840 wrote to memory of 1188 4840 portmap.exe schtasks.exe PID 4840 wrote to memory of 2940 4840 portmap.exe cmd.exe PID 4840 wrote to memory of 2940 4840 portmap.exe cmd.exe PID 2940 wrote to memory of 2836 2940 cmd.exe timeout.exe PID 2940 wrote to memory of 2836 2940 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\portmap.exe"C:\Users\Admin\AppData\Local\Temp\portmap.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2440
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows backup"2⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF5A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2836
-
-
-
C:\Users\Admin\Windows backup"C:\Users\Admin\Windows backup"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
159B
MD5d869ea8606472ff08137ad940a234bbc
SHA16c02da5e608465ed5015a84cb9f6bef45df6f5f0
SHA256ca587e9b3bea722e3f839b691f8f3dd817fc59f450aaf1af73097f2b09c4a66c
SHA512806110fbb79b5d762cc2e740e16ca56ba5fcca58760d2bd084a4c598c59f2176308e4f173853deacad232b2c6aa6db528c2f32e957eb9169d6512bf7cd7011a4
-
Filesize
37KB
MD565bdfee5e4d9099b10d35fd68a9b44cb
SHA120f380d3064186587069464becedadae24ad305a
SHA25639ca4ba8dd7b0324302767752719eb5198b5cc52dcb14d05a3dbd0756fc543f9
SHA51269350a193ab4c9d2ba6629f2265fff4f3e21e074ec3b02b5a972c9af21724af12aad669834677c7b9ae6d4c96a74044f04e95570643393cda80130febbc09186