Analysis
-
max time kernel
195s -
max time network
256s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
LabyMоd4.exe
Resource
win10-20240404-en
General
-
Target
LabyMоd4.exe
-
Size
560KB
-
MD5
2ae96ec953ccf1e0334f53b423a0f9c5
-
SHA1
ad213f9355f9eba4b1c93f9134d0cae98508c350
-
SHA256
910351824ec9121d841b498baca5f57acc383f20e6ab755e5d353a9d281c4fb2
-
SHA512
9dd0157e71086db20d54741ddd304ffc688d85ff01558c3660050a5471ec7c5933590e7fc79cf40147dc866fb3d3c3c7cacec6140ca2d1ff15313686850fb686
-
SSDEEP
12288:B2rL+p6X35aAXuxGM7bGNMOddnSIXTHUhI:c735aZMzVjUS
Malware Config
Extracted
xworm
restaurant-equation.gl.at.ply.gg:23887
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm behavioral1/memory/3844-11-0x00000000005C0000-0x00000000005F6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4420 powershell.exe 1616 powershell.exe 4260 powershell.exe 3288 powershell.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Executes dropped EXE 1 IoCs
Processes:
XClient.exepid process 3844 XClient.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4788 timeout.exe -
Modifies registry class 1 IoCs
Processes:
LabyMоd4.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings LabyMоd4.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4420 powershell.exe 4420 powershell.exe 4420 powershell.exe 1616 powershell.exe 1616 powershell.exe 1616 powershell.exe 4260 powershell.exe 4260 powershell.exe 4260 powershell.exe 3288 powershell.exe 3288 powershell.exe 3288 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3844 XClient.exe Token: SeDebugPrivilege 4420 powershell.exe Token: SeIncreaseQuotaPrivilege 4420 powershell.exe Token: SeSecurityPrivilege 4420 powershell.exe Token: SeTakeOwnershipPrivilege 4420 powershell.exe Token: SeLoadDriverPrivilege 4420 powershell.exe Token: SeSystemProfilePrivilege 4420 powershell.exe Token: SeSystemtimePrivilege 4420 powershell.exe Token: SeProfSingleProcessPrivilege 4420 powershell.exe Token: SeIncBasePriorityPrivilege 4420 powershell.exe Token: SeCreatePagefilePrivilege 4420 powershell.exe Token: SeBackupPrivilege 4420 powershell.exe Token: SeRestorePrivilege 4420 powershell.exe Token: SeShutdownPrivilege 4420 powershell.exe Token: SeDebugPrivilege 4420 powershell.exe Token: SeSystemEnvironmentPrivilege 4420 powershell.exe Token: SeRemoteShutdownPrivilege 4420 powershell.exe Token: SeUndockPrivilege 4420 powershell.exe Token: SeManageVolumePrivilege 4420 powershell.exe Token: 33 4420 powershell.exe Token: 34 4420 powershell.exe Token: 35 4420 powershell.exe Token: 36 4420 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeIncreaseQuotaPrivilege 1616 powershell.exe Token: SeSecurityPrivilege 1616 powershell.exe Token: SeTakeOwnershipPrivilege 1616 powershell.exe Token: SeLoadDriverPrivilege 1616 powershell.exe Token: SeSystemProfilePrivilege 1616 powershell.exe Token: SeSystemtimePrivilege 1616 powershell.exe Token: SeProfSingleProcessPrivilege 1616 powershell.exe Token: SeIncBasePriorityPrivilege 1616 powershell.exe Token: SeCreatePagefilePrivilege 1616 powershell.exe Token: SeBackupPrivilege 1616 powershell.exe Token: SeRestorePrivilege 1616 powershell.exe Token: SeShutdownPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeSystemEnvironmentPrivilege 1616 powershell.exe Token: SeRemoteShutdownPrivilege 1616 powershell.exe Token: SeUndockPrivilege 1616 powershell.exe Token: SeManageVolumePrivilege 1616 powershell.exe Token: 33 1616 powershell.exe Token: 34 1616 powershell.exe Token: 35 1616 powershell.exe Token: 36 1616 powershell.exe Token: SeDebugPrivilege 4260 powershell.exe Token: SeIncreaseQuotaPrivilege 4260 powershell.exe Token: SeSecurityPrivilege 4260 powershell.exe Token: SeTakeOwnershipPrivilege 4260 powershell.exe Token: SeLoadDriverPrivilege 4260 powershell.exe Token: SeSystemProfilePrivilege 4260 powershell.exe Token: SeSystemtimePrivilege 4260 powershell.exe Token: SeProfSingleProcessPrivilege 4260 powershell.exe Token: SeIncBasePriorityPrivilege 4260 powershell.exe Token: SeCreatePagefilePrivilege 4260 powershell.exe Token: SeBackupPrivilege 4260 powershell.exe Token: SeRestorePrivilege 4260 powershell.exe Token: SeShutdownPrivilege 4260 powershell.exe Token: SeDebugPrivilege 4260 powershell.exe Token: SeSystemEnvironmentPrivilege 4260 powershell.exe Token: SeRemoteShutdownPrivilege 4260 powershell.exe Token: SeUndockPrivilege 4260 powershell.exe Token: SeManageVolumePrivilege 4260 powershell.exe Token: 33 4260 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exepid process 3676 javaw.exe 3676 javaw.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
LabyMоd4.exejavaw.exeXClient.execmd.exedescription pid process target process PID 4384 wrote to memory of 3676 4384 LabyMоd4.exe javaw.exe PID 4384 wrote to memory of 3676 4384 LabyMоd4.exe javaw.exe PID 4384 wrote to memory of 3844 4384 LabyMоd4.exe XClient.exe PID 4384 wrote to memory of 3844 4384 LabyMоd4.exe XClient.exe PID 3676 wrote to memory of 2148 3676 javaw.exe icacls.exe PID 3676 wrote to memory of 2148 3676 javaw.exe icacls.exe PID 3844 wrote to memory of 4420 3844 XClient.exe powershell.exe PID 3844 wrote to memory of 4420 3844 XClient.exe powershell.exe PID 3844 wrote to memory of 1616 3844 XClient.exe powershell.exe PID 3844 wrote to memory of 1616 3844 XClient.exe powershell.exe PID 3844 wrote to memory of 4260 3844 XClient.exe powershell.exe PID 3844 wrote to memory of 4260 3844 XClient.exe powershell.exe PID 3844 wrote to memory of 3288 3844 XClient.exe powershell.exe PID 3844 wrote to memory of 3288 3844 XClient.exe powershell.exe PID 3844 wrote to memory of 2772 3844 XClient.exe cmd.exe PID 3844 wrote to memory of 2772 3844 XClient.exe cmd.exe PID 2772 wrote to memory of 4788 2772 cmd.exe timeout.exe PID 2772 wrote to memory of 4788 2772 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LabyMоd4.exe"C:\Users\Admin\AppData\Local\Temp\LabyMоd4.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\labymod4-installer.jar"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:2148
-
-
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4ACF.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:4788
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD585beb0ad8a77662c61f86afd1e39702e
SHA1d7e1e72f5c23fe3dded55e7e922151f43f173071
SHA256cf47709f722417a19a6aa4ef955d2498f337f47f1751cf12a17e7ab40a756055
SHA5124a8092e3c8bdce1f2500a0293a1f36a3aa4f49935484f3af7c6dbdb87f4bbcd0fa285e6dfd08c7e0734935a826bb59afc56148724e794ddaa1bb33c88073f577
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5bbb673277fae96ee4bc299672085e949
SHA1731ccb1581a06bff2ca36ca46b20c91c9adc468c
SHA25621a0a3c47eb15cec5d37688a67369836fda0164d0cd5afaa9a2aa52fb838685d
SHA512aa0efc1683991ed68027f0fbd1dfcf0616dd0c328bd015cb43987411e454e0583e8cc1a45bc9f689e873007071e0923d9be10a6db689ba268a167f856b6a8425
-
Filesize
1KB
MD59457428940093c28ba12bd1e0d6923d2
SHA174d59812b702b52326c5637633c6c9e002598768
SHA2562e95e0a71659267ee67d80481d501e12f8af26bbb57d8b99859d80394da1bd06
SHA512346d7141fe8a33ccc133d8af85bc78c2fa849fd8afd3f26e683bbc055c9d36d02d31bdf8600d06e49b529a33ecd97ce021ae1f162632743a82b25e30670d491c
-
Filesize
1KB
MD503cca9c43729b7da98f8341f5916e69c
SHA18c405fd43cc481445f8fa8c5ccd7643489e2355d
SHA256897ce07829843bdd07e0e90b1d7c4ee4984ff61e26566b1356ba8f2352c61488
SHA51225b474d1b1f1a5b7eedf56e0aff9200a64f45545a26470c836c6ca8236b270eb1706cca8cf0afa4281b13f4d7a66f1e8ef6a87685f55f14ea19ea2e2bf02984c
-
Filesize
190KB
MD5f5cd88548481bd61561698c34fb5b94c
SHA126ccddacd3d767b5b495ab84db5aed5c1eca72bd
SHA2568b721aab9de7fcd5eda8ad61eb2461b8ad4354142629f9589663874ff42f70ef
SHA512295982830cd04b560c35bbdb6bdfc3a343aec8f7a8289c3650cfc1665e788b4aa877b0c8041ee035b2d6304e317623ca2dde52b5cdd5511b932de4a2150419e9
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
341KB
MD565b10a02e94334034adb7251a1d521e2
SHA105b4bb293d461d0d2943b0b3209f4cc0afba35b2
SHA25623ddcafd86f95231752b6f2ad7b9532c01c7043fb795ea4faaa3d09ba5ab35bb
SHA5128fcc63df10dc17b9648945a81574a786bfa01db69e63e889dd18e0be0c60c0ee9d222b240d644982e759f79f139a9b573f9d0b03c025e558c15eaebb5fcc596d
-
Filesize
159B
MD50f89235147e5650d508e934b2a4c7268
SHA108c880a025febfa4c034700510794b9c0db6b46f
SHA25634ed357c961b948ca79d911c1dfe0e43c58d4eee098bfee8ba04421f4e39774e
SHA512079f5cd68b658525b213b58fc17d9986f8e0e33b01048a89bf78f817b0a716b4c397657d97ccbdff815d9ff9fcb5f70f9943d7fc80327df07e075079b6c7f0dc