Resubmissions
29-07-2024 08:54
240729-ktxvssvcpc 10Analysis
-
max time kernel
17s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 08:54
Static task
static1
General
-
Target
Loader.exe
-
Size
7.6MB
-
MD5
aa16f3774491b600121545a5f194cefc
-
SHA1
c872fe765ecff1dada8378ad8a12cd5cf0425219
-
SHA256
c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d
-
SHA512
8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8
-
SSDEEP
196608:8G46NbTO5uFqiXBIaqVCbB9+FsdH6HBiE555x:8G46N3O5uciXBvq09+wC/Hr
Malware Config
Extracted
xworm
147.185.221.16:60401
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
Extracted
44caliber
https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00080000000234c6-6.dat family_xworm behavioral1/memory/948-21-0x0000000000BA0000-0x0000000000BB6000-memory.dmp family_xworm -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3252 powershell.exe 4212 powershell.exe 4396 powershell.exe 3188 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation loaderr.exe -
Executes dropped EXE 2 IoCs
pid Process 948 loaderr.exe 1476 fixer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 freegeoip.app 7 ip-api.com 9 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 fixer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier fixer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2412 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1476 fixer.exe 1476 fixer.exe 1476 fixer.exe 3252 powershell.exe 3252 powershell.exe 1476 fixer.exe 4212 powershell.exe 4212 powershell.exe 4396 powershell.exe 4396 powershell.exe 3188 powershell.exe 3188 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 948 loaderr.exe Token: SeDebugPrivilege 1476 fixer.exe Token: SeDebugPrivilege 3252 powershell.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3232 wrote to memory of 948 3232 Loader.exe 86 PID 3232 wrote to memory of 948 3232 Loader.exe 86 PID 3232 wrote to memory of 1476 3232 Loader.exe 87 PID 3232 wrote to memory of 1476 3232 Loader.exe 87 PID 948 wrote to memory of 3252 948 loaderr.exe 91 PID 948 wrote to memory of 3252 948 loaderr.exe 91 PID 948 wrote to memory of 4212 948 loaderr.exe 93 PID 948 wrote to memory of 4212 948 loaderr.exe 93 PID 948 wrote to memory of 4396 948 loaderr.exe 95 PID 948 wrote to memory of 4396 948 loaderr.exe 95 PID 948 wrote to memory of 3188 948 loaderr.exe 97 PID 948 wrote to memory of 3188 948 loaderr.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\loaderr.exe"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2412
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixer.exe"C:\Users\Admin\AppData\Local\Temp\fixer.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵PID:3500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51a83355810062b93e566f0bbe7a760ac
SHA127f4bd9e070397e83cb0e4b4b11a40028d83a639
SHA25628a45c2f4bf900f05679ac65e44fef62bdeb60b4500b955ec3d07901aefeb884
SHA5123d10271bcced28a7c76e713b9e0c8385cd919480d300e79c24b18f5d294c81873f6cad579cb547d718fa2b15fc2e154733098848fff02154a7a5d30525f892eb
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD528d4235aa2e6d782751f980ceb6e5021
SHA1f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA2568c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD5120c6c9af4de2accfcff2ed8c3aab1af
SHA1504f64ae4ac9c4fe308a6a50be24fe464f3dad95
SHA256461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222
SHA512041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
274KB
MD588505913c2c75f796c9a021aab2d356d
SHA15b5c06998d3e200c21c77ea4efaeaecdc7344e78
SHA25662e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204
SHA5126fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905
-
Filesize
65KB
MD595f8f28f5a8503461db6804cda9c4934
SHA181c0a30e498093d41948777135bbd407c7611cda
SHA256aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2
SHA5125c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461