Analysis

  • max time kernel
    30s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 20:19

General

  • Target

    MetalokCheat.exe

  • Size

    79KB

  • MD5

    9b62d577d23470826389b37e1f2ab4d1

  • SHA1

    fe1b71f45b57a809391e48d73dbebb2e3f94737d

  • SHA256

    a98f882434490a7deb425f4cec29faf9967aaa915c7da952845367fb90edfd53

  • SHA512

    4547d12b26a4dd39530faba7b8327f204808bb510b00bdd2b564db712db08d829a9311622c754e5f5ac156ab0964480a51f529420573b5e593ef10082e567f9e

  • SSDEEP

    1536:S+Rajw3RJVDSviENvS6wD2IB/l7jb+oy2pYddjH6v6jDdV+uOAbUipei:LRPJVGlN66DcNvb+or2xaEv+uOA5ei

Malware Config

Extracted

Family

xworm

Version

3.0

C2

silver-bowl.gl.at.ply.gg:29206

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MetalokCheat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MetalokCheat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\pulkux.MP4"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1920
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pulkux.MP4

    Filesize

    1.4MB

    MD5

    217557b441c9b669f1dc5750e68c83ac

    SHA1

    1baccc1169bbad3dd9cf2a6199157cfafb6ce50a

    SHA256

    15d8311fcd70356eaa10b9aa5877790401cb25900cd7e7ba08524cefd27119f3

    SHA512

    e1e80f6a4d097679b89fc9bb8d306725a15b8eebb2bfe3faa4477c52eaf5ce124aa5b39025f0c57745d4694fbc4e8d3d4e7d07ed87825d668a25c35c7b27055a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    d527a9a238fe56c63be3fe6de4b1e484

    SHA1

    0d723844a4bbcc641c372f66cc227155e9e3a015

    SHA256

    ad522f8514f8dc8fad0f02993bdf3bb8393d48f56ebaa787b970c6961112b068

    SHA512

    1ef6738477517b24ecaabd760d206001c934c17ba5230a773c07f9ed5641886dbfecd6014b0cee1c0da7d1058a23db5c360328f48c2f661b6aaeb4bbc84f288e

  • memory/2000-28-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2000-27-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2040-26-0x000007FEF6093000-0x000007FEF6094000-memory.dmp

    Filesize

    4KB

  • memory/2040-0-0x000007FEF6093000-0x000007FEF6094000-memory.dmp

    Filesize

    4KB

  • memory/2040-2-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

    Filesize

    9.9MB

  • memory/2040-29-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

    Filesize

    9.9MB

  • memory/2040-1-0x0000000001070000-0x000000000108A000-memory.dmp

    Filesize

    104KB

  • memory/2352-9-0x0000000002690000-0x0000000002698000-memory.dmp

    Filesize

    32KB

  • memory/2352-8-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

    Filesize

    2.9MB

  • memory/2352-7-0x00000000028D0000-0x0000000002950000-memory.dmp

    Filesize

    512KB

  • memory/2948-15-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

  • memory/2948-16-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB