Analysis
-
max time kernel
30s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 20:19
Behavioral task
behavioral1
Sample
MetalokCheat.exe
Resource
win7-20240508-en
General
-
Target
MetalokCheat.exe
-
Size
79KB
-
MD5
9b62d577d23470826389b37e1f2ab4d1
-
SHA1
fe1b71f45b57a809391e48d73dbebb2e3f94737d
-
SHA256
a98f882434490a7deb425f4cec29faf9967aaa915c7da952845367fb90edfd53
-
SHA512
4547d12b26a4dd39530faba7b8327f204808bb510b00bdd2b564db712db08d829a9311622c754e5f5ac156ab0964480a51f529420573b5e593ef10082e567f9e
-
SSDEEP
1536:S+Rajw3RJVDSviENvS6wD2IB/l7jb+oy2pYddjH6v6jDdV+uOAbUipei:LRPJVGlN66DcNvb+or2xaEv+uOA5ei
Malware Config
Extracted
xworm
3.0
silver-bowl.gl.at.ply.gg:29206
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-1-0x0000000001070000-0x000000000108A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 2884 powershell.exe 2352 powershell.exe 2948 powershell.exe -
Drops startup file 2 IoCs
Processes:
MetalokCheat.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MetalokCheat.lnk MetalokCheat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MetalokCheat.lnk MetalokCheat.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1920 vlc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exeMetalokCheat.exetaskmgr.exepid process 2352 powershell.exe 2948 powershell.exe 2884 powershell.exe 2040 MetalokCheat.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1920 vlc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MetalokCheat.exepowershell.exepowershell.exepowershell.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2040 MetalokCheat.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2040 MetalokCheat.exe Token: SeDebugPrivilege 2000 taskmgr.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
taskmgr.exevlc.exepid process 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 1920 vlc.exe 1920 vlc.exe 1920 vlc.exe 1920 vlc.exe 1920 vlc.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
taskmgr.exevlc.exepid process 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 2000 taskmgr.exe 1920 vlc.exe 1920 vlc.exe 1920 vlc.exe 1920 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MetalokCheat.exevlc.exepid process 2040 MetalokCheat.exe 1920 vlc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
MetalokCheat.exedescription pid process target process PID 2040 wrote to memory of 2352 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 2352 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 2352 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 2948 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 2948 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 2948 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 2884 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 2884 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 2884 2040 MetalokCheat.exe powershell.exe PID 2040 wrote to memory of 1920 2040 MetalokCheat.exe vlc.exe PID 2040 wrote to memory of 1920 2040 MetalokCheat.exe vlc.exe PID 2040 wrote to memory of 1920 2040 MetalokCheat.exe vlc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe"C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MetalokCheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MetalokCheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MetalokCheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\pulkux.MP4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5217557b441c9b669f1dc5750e68c83ac
SHA11baccc1169bbad3dd9cf2a6199157cfafb6ce50a
SHA25615d8311fcd70356eaa10b9aa5877790401cb25900cd7e7ba08524cefd27119f3
SHA512e1e80f6a4d097679b89fc9bb8d306725a15b8eebb2bfe3faa4477c52eaf5ce124aa5b39025f0c57745d4694fbc4e8d3d4e7d07ed87825d668a25c35c7b27055a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d527a9a238fe56c63be3fe6de4b1e484
SHA10d723844a4bbcc641c372f66cc227155e9e3a015
SHA256ad522f8514f8dc8fad0f02993bdf3bb8393d48f56ebaa787b970c6961112b068
SHA5121ef6738477517b24ecaabd760d206001c934c17ba5230a773c07f9ed5641886dbfecd6014b0cee1c0da7d1058a23db5c360328f48c2f661b6aaeb4bbc84f288e