Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 01:46
Static task
static1
Behavioral task
behavioral1
Sample
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
Resource
win7-20240419-en
General
-
Target
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
-
Size
748KB
-
MD5
457143901d9ca2f0bc836c1dd1faefe3
-
SHA1
11e554dcfca0dd51c5bfe92d35b9c13b21b81691
-
SHA256
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
-
SHA512
0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0
-
SSDEEP
12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT
Malware Config
Extracted
xworm
head-experimental.gl.at.ply.gg:46178
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part1.exe family_xworm behavioral2/memory/3896-21-0x0000000000E50000-0x0000000000E68000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\Part 1.exe family_xworm behavioral2/memory/2212-60-0x00000000007A0000-0x00000000007B8000-memory.dmp family_xworm behavioral2/memory/3784-86-0x0000000000B00000-0x0000000000B1A000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\Part 4.exe family_xworm behavioral2/memory/2212-167-0x000000001D740000-0x000000001D74E000-memory.dmp family_xworm -
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part 2.exe family_quasar behavioral2/memory/4548-87-0x0000000000150000-0x00000000001BC000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part 3.exe family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2736 powershell.exe 2024 powershell.exe 4604 powershell.exe 2304 powershell.exe 4880 powershell.exe 1576 powershell.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exePart2.exePart 1.exePart1.exePart 4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Part2.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Part 1.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Part1.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Part 4.exe -
Executes dropped EXE 7 IoCs
Processes:
Part1.exePart2.exePart 1.exePart 2.exePart 3.exePart 4.exeWindows PowerShell.exepid process 3896 Part1.exe 3700 Part2.exe 2212 Part 1.exe 4548 Part 2.exe 5012 Part 3.exe 3784 Part 4.exe 656 Windows PowerShell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows PowerShell.exepid process 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe 656 Windows PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Windows PowerShell.exePart 1.exePart 3.exePart 2.exePart1.exepowershell.exePart 4.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 656 Windows PowerShell.exe Token: SeDebugPrivilege 2212 Part 1.exe Token: SeDebugPrivilege 5012 Part 3.exe Token: SeDebugPrivilege 4548 Part 2.exe Token: SeDebugPrivilege 3896 Part1.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeDebugPrivilege 3784 Part 4.exe Token: SeDebugPrivilege 4604 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2212 Part 1.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 3896 Part1.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 3784 Part 4.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Part 2.exePart 1.exePart1.exePart 4.exepid process 4548 Part 2.exe 2212 Part 1.exe 3896 Part1.exe 3784 Part 4.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exePart2.exePart 1.exePart 2.exePart1.exePart 4.exedescription pid process target process PID 952 wrote to memory of 3896 952 cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe Part1.exe PID 952 wrote to memory of 3896 952 cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe Part1.exe PID 952 wrote to memory of 3700 952 cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe Part2.exe PID 952 wrote to memory of 3700 952 cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe Part2.exe PID 3700 wrote to memory of 2212 3700 Part2.exe Part 1.exe PID 3700 wrote to memory of 2212 3700 Part2.exe Part 1.exe PID 3700 wrote to memory of 4548 3700 Part2.exe Part 2.exe PID 3700 wrote to memory of 4548 3700 Part2.exe Part 2.exe PID 3700 wrote to memory of 4548 3700 Part2.exe Part 2.exe PID 3700 wrote to memory of 5012 3700 Part2.exe Part 3.exe PID 3700 wrote to memory of 5012 3700 Part2.exe Part 3.exe PID 3700 wrote to memory of 3784 3700 Part2.exe Part 4.exe PID 3700 wrote to memory of 3784 3700 Part2.exe Part 4.exe PID 3700 wrote to memory of 656 3700 Part2.exe Windows PowerShell.exe PID 3700 wrote to memory of 656 3700 Part2.exe Windows PowerShell.exe PID 3700 wrote to memory of 656 3700 Part2.exe Windows PowerShell.exe PID 2212 wrote to memory of 2024 2212 Part 1.exe powershell.exe PID 2212 wrote to memory of 2024 2212 Part 1.exe powershell.exe PID 4548 wrote to memory of 1372 4548 Part 2.exe schtasks.exe PID 4548 wrote to memory of 1372 4548 Part 2.exe schtasks.exe PID 4548 wrote to memory of 1372 4548 Part 2.exe schtasks.exe PID 3896 wrote to memory of 4604 3896 Part1.exe powershell.exe PID 3896 wrote to memory of 4604 3896 Part1.exe powershell.exe PID 2212 wrote to memory of 2304 2212 Part 1.exe powershell.exe PID 2212 wrote to memory of 2304 2212 Part 1.exe powershell.exe PID 3896 wrote to memory of 4880 3896 Part1.exe powershell.exe PID 3896 wrote to memory of 4880 3896 Part1.exe powershell.exe PID 3784 wrote to memory of 1576 3784 Part 4.exe powershell.exe PID 3784 wrote to memory of 1576 3784 Part 4.exe powershell.exe PID 3784 wrote to memory of 2736 3784 Part 4.exe powershell.exe PID 3784 wrote to memory of 2736 3784 Part 4.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe"C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\Part1.exe"C:\Users\Admin\AppData\Local\Temp\Part1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\Part2.exe"C:\Users\Admin\AppData\Local\Temp\Part2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\Part 1.exe"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\Part 2.exe"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\Part 3.exe"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\Part 4.exe"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD510fb30dc297f99d6ebafa5fee8b24fa2
SHA176904509313a49a765edcde26b69c3a61f9fa225
SHA256567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a
SHA512c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498
-
Filesize
944B
MD5929039f18a6c7352b68db3eee415ee47
SHA16711f5be6de777b7e1ff21fa43d05d83c90e3ef2
SHA256c0038cbc4c22ad0eced4c7576a6fd33fa635e72b65a85a0a047538a8e038c487
SHA5129fcc5aeb4aca36867d8cbfd33366fed75caa5802548bb543483d8441252a8fc8655bfa9a927cea61d5c037efbe6a00a047322192b51bd9977cc0fb2a2aa43faa
-
Filesize
67KB
MD5092a0c6fe885844fd74947e64e7fc11e
SHA1bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA25691431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0
-
Filesize
409KB
MD5e10c7425705b2bd3214fa96247ee21c4
SHA17603536b97ab6337fa023bafcf80579c2b4059e6
SHA256021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA51247e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d
-
Filesize
63KB
MD527fe9341167a34f606b800303ac54b1f
SHA186373d218b48361bff1c23ddd08b6ab1803a51d0
SHA25629e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA51205b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0
-
Filesize
79KB
MD51f1b23752df3d29e7604ba52aea85862
SHA1bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA2564834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde
-
Filesize
74KB
MD5e35a7249966beef31a45272c53e06727
SHA1cc54648f9c9423f7a625e96256c608791b1ab275
SHA256ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998
SHA5121dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114
-
Filesize
661KB
MD5c47c0d681b491091209c54147c33da81
SHA158cb51be41aa576ce56d4c16c9c443e70e648f62
SHA256429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720
SHA512f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c
-
Filesize
27KB
MD54daae2de5a31125d02b057c1ff18d58f
SHA1e1d603edfcc150a4718e2916ae3dda3aa9548dc8
SHA25625510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f
SHA5127cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82