Analysis
-
max time kernel
73s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 20:17
Behavioral task
behavioral1
Sample
MetalokCheat.exe
Resource
win7-20240221-en
General
-
Target
MetalokCheat.exe
-
Size
79KB
-
MD5
9b62d577d23470826389b37e1f2ab4d1
-
SHA1
fe1b71f45b57a809391e48d73dbebb2e3f94737d
-
SHA256
a98f882434490a7deb425f4cec29faf9967aaa915c7da952845367fb90edfd53
-
SHA512
4547d12b26a4dd39530faba7b8327f204808bb510b00bdd2b564db712db08d829a9311622c754e5f5ac156ab0964480a51f529420573b5e593ef10082e567f9e
-
SSDEEP
1536:S+Rajw3RJVDSviENvS6wD2IB/l7jb+oy2pYddjH6v6jDdV+uOAbUipei:LRPJVGlN66DcNvb+or2xaEv+uOA5ei
Malware Config
Extracted
xworm
3.0
silver-bowl.gl.at.ply.gg:29206
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2212-1-0x00000000008C0000-0x00000000008DA000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\MetalokCheat.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 2712 powershell.exe 2244 powershell.exe 2240 powershell.exe -
Drops startup file 2 IoCs
Processes:
MetalokCheat.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MetalokCheat.lnk MetalokCheat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MetalokCheat.lnk MetalokCheat.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
powershell.exepowershell.exepowershell.exeMetalokCheat.exetaskmgr.exepid process 2712 powershell.exe 2244 powershell.exe 2240 powershell.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 2212 MetalokCheat.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1840 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MetalokCheat.exepowershell.exepowershell.exepowershell.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2212 MetalokCheat.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 2212 MetalokCheat.exe Token: SeDebugPrivilege 1840 taskmgr.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
Processes:
taskmgr.exepid process 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
taskmgr.exepid process 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe 1840 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MetalokCheat.exepid process 2212 MetalokCheat.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
MetalokCheat.exedescription pid process target process PID 2212 wrote to memory of 2712 2212 MetalokCheat.exe powershell.exe PID 2212 wrote to memory of 2712 2212 MetalokCheat.exe powershell.exe PID 2212 wrote to memory of 2712 2212 MetalokCheat.exe powershell.exe PID 2212 wrote to memory of 2244 2212 MetalokCheat.exe powershell.exe PID 2212 wrote to memory of 2244 2212 MetalokCheat.exe powershell.exe PID 2212 wrote to memory of 2244 2212 MetalokCheat.exe powershell.exe PID 2212 wrote to memory of 2240 2212 MetalokCheat.exe powershell.exe PID 2212 wrote to memory of 2240 2212 MetalokCheat.exe powershell.exe PID 2212 wrote to memory of 2240 2212 MetalokCheat.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe"C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MetalokCheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MetalokCheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:2184
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD59b62d577d23470826389b37e1f2ab4d1
SHA1fe1b71f45b57a809391e48d73dbebb2e3f94737d
SHA256a98f882434490a7deb425f4cec29faf9967aaa915c7da952845367fb90edfd53
SHA5124547d12b26a4dd39530faba7b8327f204808bb510b00bdd2b564db712db08d829a9311622c754e5f5ac156ab0964480a51f529420573b5e593ef10082e567f9e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53bb463fd5163feb3133855e674ee7a2c
SHA1e370d18cc3611895f23a8d48db019d0ab0ded251
SHA256dd96589450577cd4573f480d48a5dbd5e92b074115bd968dacda5a21eaf9d422
SHA5124d87cd6e588f4868c3265f56653c7e2ef5d8c8cbf750924f6e60a4c1000366e75b87a5385220aa66a0668e451c4db6affea11e8f7351c7a6547c43fe0515803a