Analysis
-
max time kernel
113s -
max time network
118s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
10-07-2024 12:30
General
-
Target
Crack.exe
-
Size
83KB
-
MD5
fafdca52fa2f2e543c82157ab5bd3abe
-
SHA1
66b2fa2d9b1e58a67723fe98c08352f1668ea561
-
SHA256
fdd41c041dd827148ad8a15c521255c017f1977522a90ef4e94fb898c2a04477
-
SHA512
28869228921b62f13a1975a75f9956909024fd5e59ff1a61152a38feb0cfcb128d76c4a6477b8b8701073e8faa0343612b2cdb94f24fd0ff73f04f98a4a7e561
-
SSDEEP
1536:TOgd9x9J64t5dY63G6IPLh0i6a+bai0bqkTkF6UoBnO0cXSeUd:/9J5uEOh6a+baNOkTkQnOXHy
Malware Config
Extracted
xworm
connection-elect.gl.at.ply.gg:37777
-
Install_directory
%AppData%
-
install_file
Crack.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 35 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crack.exe"C:\Users\Admin\AppData\Local\Temp\Crack.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Crack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Crack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Crack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Crack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Crack" /tr "C:\Users\Admin\AppData\Roaming\Crack.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Crack.exeC:\Users\Admin\AppData\Roaming\Crack.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Crack.exeC:\Users\Admin\AppData\Roaming\Crack.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD5fcb83416686231654942728172d8ba1e
SHA1ffd0ee09dec4d66e8c211cb9ccd99b854e1f9760
SHA25693a594303a6dc748349cc904fb5228741a71bf7562e53ef88fa106eb2577fbaa
SHA51272238f2373d9816228d74f21762ad6afbb5fe91e3b38de3384001ab98f87de3d1a89f10f53d01f24b1595885f720a19cc07adeebb9a691be3723fbb9dd783997
-
Filesize
1KB
MD50098df8ed31e9e8c46f9cf3e915fd432
SHA10ed488512c3df40685aaf20dafd0296077d50bf9
SHA256496d2fb51dbd01e1c57c60622486980d8bf385e4a744b3fd00ceffa9d5d49732
SHA5123a54df779a5e3379a8d2506c4ac984bc95fab89423e8b152c52e890439afaaa13b8ec436eaf76bd439b5e744c6137c12a36eb05aa810642b1764ec29fa0046d8
-
Filesize
1KB
MD580b8902782f5462a10a0c8211472d125
SHA17c141cdcaa8a5e5e7e183795bdd74d26371947b6
SHA2565420bfb7358267b2d9975668e956d72fa055cc8e5c6372ffbbcb28bab7f1bc61
SHA5124521207b84309f638e694ea6d006b709dd3ba365ecd544baa8fa36e6467cf6556db9bfaab44c092aa2dd69a3aeee7e5d7e49a33dd200455eb00a0e6b8a3df1c1
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
83KB
MD5fafdca52fa2f2e543c82157ab5bd3abe
SHA166b2fa2d9b1e58a67723fe98c08352f1668ea561
SHA256fdd41c041dd827148ad8a15c521255c017f1977522a90ef4e94fb898c2a04477
SHA51228869228921b62f13a1975a75f9956909024fd5e59ff1a61152a38feb0cfcb128d76c4a6477b8b8701073e8faa0343612b2cdb94f24fd0ff73f04f98a4a7e561
-
Filesize
759B
MD5bc93ad06d49df7b33daadcb348f26b15
SHA122f0ad774a782a62720f2c955b2d55327471ca5b
SHA256ca450de834808efca47473eb0f0e2cd9da1352a5b3b3770d4f2a2fe2903104a4
SHA51207a2d08cbffb3daa65c5e274f04822b2f2aa753daded59c7494432dbef316a60339c9d72ff6f7eee6c2c400a009c4e1b9458626a501af406b72f329e3401cca4
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
472KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
112KB