Analysis
-
max time kernel
26s -
max time network
29s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-06-2024 21:20
Behavioral task
behavioral1
Sample
setup.exe
Resource
win11-20240611-en
General
-
Target
setup.exe
-
Size
136KB
-
MD5
7a1a5a223738032f20c9f3c21197ff76
-
SHA1
311f1541cc22ac08a4c5ef49dcc33d843ad49495
-
SHA256
649a001ef5ce48aec16cf5d256ef7ba2556ec9b3b1b81c8c242daff556099aec
-
SHA512
80fe5665b5b4e07762a5834cfa15697309a7f1e721a008c8abd496ed93490e01e2e47edaf1b96d67fa9933a28362c9acadc31180b2212d44858df309ce6f396f
-
SSDEEP
3072:z+yKAaijkyC6yaXbGKn50Ozu2hwKXdkEVMNQLcuqIWbTz7W:z+2xtbGUCUkaMyXnSTz7
Malware Config
Extracted
xworm
192.168.56.1:80
-
Install_directory
%Temp%
-
install_file
RedTiger.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1172-1-0x0000000000E40000-0x0000000000E66000-memory.dmp family_xworm -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
setup.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\RedTiger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RedTiger.exe" setup.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634784614643276" chrome.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
chrome.exesetup.exepid process 4576 chrome.exe 4576 chrome.exe 1172 setup.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exepid process 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
setup.exechrome.exedescription pid process Token: SeDebugPrivilege 1172 setup.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeDebugPrivilege 1172 setup.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe Token: SeShutdownPrivilege 4576 chrome.exe Token: SeCreatePagefilePrivilege 4576 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe 4576 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
setup.exepid process 1172 setup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4576 wrote to memory of 5116 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 5116 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3240 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3196 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 3196 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe PID 4576 wrote to memory of 4572 4576 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1172
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x84,0x88,0xe8,0x80,0x10c,0x7fff284dab58,0x7fff284dab68,0x7fff284dab782⤵PID:5116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:22⤵PID:3240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:82⤵PID:3196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:82⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:12⤵PID:1056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:12⤵PID:1208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:12⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:82⤵PID:2220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:82⤵PID:812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:82⤵PID:3616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:82⤵PID:4220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:82⤵PID:2140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4636 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:12⤵PID:1608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4936 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:12⤵PID:3660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3412 --field-trial-handle=1832,i,5140369925760000928,10796801536783073864,131072 /prefetch:12⤵PID:4656
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD52f25535d30a19e43aa2b4213340a5241
SHA1bdce866f4d169da54e135485eb69a2864765f362
SHA256374863c01b3492479545efa92b8f0b13b7cb0cd5fb7c03749525f41bdbc0dc80
SHA5120336f4b8879324293e4c75c832038f58c96e6a2b83e5c499f434da009870432839382f39af6606690b4226d83f3e4a2bbe44707144a93bd06baf11ba3ec380d6
-
Filesize
6KB
MD560e230d389d4a7dfde26b18362ee36be
SHA19e00b2477eb5b4ea6d2484c470050828915d339e
SHA256413aaa366419816f0e64934e1b575d4f66992993ae137d9e095b90f5b249af35
SHA51256f951c23fad25ec1b474e55e9f557c24421d05f101c71766cf99a596d1857cebf149fe4c31c078e23361152f8c47f8ff3a3568f6d7864176c5657f03a138422
-
Filesize
16KB
MD507adecc3f82497dc09d18632415fea14
SHA1d5323eb1c50d54803803fbd5f99fa8469561a044
SHA2561072bbd37bf24813a7897bb4314d3f1babfdd186b443028196bb10da4571d8ac
SHA5129230be3f36a1af1484231f6374430f79ab6de2bbbde230df95279854db9315700e0d8fc7c596d0d56b9df2bf22b29f8aa3b7acb6d048213f4eafa3103c66e73d
-
Filesize
279KB
MD556fa8418d6c8ad3c9f4105120e1bf59a
SHA17e010fe8eeff4ccc8ebd39a6efc8d5a75111411e
SHA256aa82e0345130f2b05f12d507bf78276eb847f7830777e946f9584c5938f891d0
SHA512ad8f34eec1d81c7730a6133710c69f0098f20926a0de0437f6d7d1faacf6bc1e868495b4be854bda1bce59e9e6a4f2b563d6161f7f41ee6b93e11489a93fa871
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e