Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 03:01
Behavioral task
behavioral1
Sample
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe
Resource
win10v2004-20240508-en
General
-
Target
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe
-
Size
121KB
-
MD5
5ad0a139daa10def6783d34a578882eb
-
SHA1
8cbeb48832356f7cff9b1370ece879d72b8eb156
-
SHA256
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c
-
SHA512
2cbd28e71e57b1fa051231565074afeaaacb6332c831e861be45e98eab1d1f1fc0519ddbace3f2f2f24d9a97d8dd767bcfadd827dfb81e960bcc7b73cb5b3b84
-
SSDEEP
1536:S0DwewicrbsN/YVRrNRF49IG6iOwjaClJEHIl7pmhaKI:S0DweDN/kr/F49IaOw5Ch0
Malware Config
Extracted
xworm
5.0
sekoneko.zapto.org:1111
epkUNO9aHruE9KEn
-
Install_directory
%AppData%
-
install_file
win64.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2716-1-0x0000000000EE0000-0x0000000000F04000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\win64.exe family_xworm behavioral1/memory/1476-36-0x0000000000DE0000-0x0000000000E04000-memory.dmp family_xworm behavioral1/memory/1736-39-0x0000000001210000-0x0000000001234000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2784 powershell.exe 2208 powershell.exe 2936 powershell.exe 2780 powershell.exe -
Drops startup file 2 IoCs
Processes:
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win64.lnk a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win64.lnk a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe -
Executes dropped EXE 2 IoCs
Processes:
win64.exewin64.exepid process 1476 win64.exe 1736 win64.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\win64 = "C:\\Users\\Admin\\AppData\\Roaming\\win64.exe" a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exea788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exepid process 2784 powershell.exe 2208 powershell.exe 2936 powershell.exe 2780 powershell.exe 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exepowershell.exepowershell.exepowershell.exepowershell.exewin64.exewin64.exedescription pid process Token: SeDebugPrivilege 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 2208 powershell.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe Token: SeDebugPrivilege 1476 win64.exe Token: SeDebugPrivilege 1736 win64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exepid process 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exetaskeng.exedescription pid process target process PID 2716 wrote to memory of 2784 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2784 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2784 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2208 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2208 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2208 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2936 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2936 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2936 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2780 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2780 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2780 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe powershell.exe PID 2716 wrote to memory of 2328 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe schtasks.exe PID 2716 wrote to memory of 2328 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe schtasks.exe PID 2716 wrote to memory of 2328 2716 a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe schtasks.exe PID 1980 wrote to memory of 1476 1980 taskeng.exe win64.exe PID 1980 wrote to memory of 1476 1980 taskeng.exe win64.exe PID 1980 wrote to memory of 1476 1980 taskeng.exe win64.exe PID 1980 wrote to memory of 1736 1980 taskeng.exe win64.exe PID 1980 wrote to memory of 1736 1980 taskeng.exe win64.exe PID 1980 wrote to memory of 1736 1980 taskeng.exe win64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe"C:\Users\Admin\AppData\Local\Temp\a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\win64.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'win64.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win64" /tr "C:\Users\Admin\AppData\Roaming\win64.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2328
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {834A401C-7A77-4CF9-900E-BC881F4C0416} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Roaming\win64.exeC:\Users\Admin\AppData\Roaming\win64.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Users\Admin\AppData\Roaming\win64.exeC:\Users\Admin\AppData\Roaming\win64.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50aa4812d0baa902d93c91d0abb0ad24f
SHA1a409831639979d9eada58086337ed8d95fb6a885
SHA25633af2dd9e6383720afcc2ab8b6f05b6138836d6480372017693259665a2e0b3d
SHA512235566fe347c97ea0379412617cdc6fae932f969c5fa046499e91b0d9c95c398fa09754f23d9a9d5b4daa665848d5faa729a9b8becda2640a3c1b54f2b214696
-
Filesize
121KB
MD55ad0a139daa10def6783d34a578882eb
SHA18cbeb48832356f7cff9b1370ece879d72b8eb156
SHA256a788a5b401661ff1c3eedd21d679ccaf39a35cb1a5a814773b1e4ded48de890c
SHA5122cbd28e71e57b1fa051231565074afeaaacb6332c831e861be45e98eab1d1f1fc0519ddbace3f2f2f24d9a97d8dd767bcfadd827dfb81e960bcc7b73cb5b3b84